4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
48.8%
OpenStack Dashboard (Horizon) provides administrators and users with a
graphical interface to access, provision, and automate cloud-based
resources.
A cross-site scripting (XSS) flaw was found in the way orchestration
templates were handled. An owner of such a template could use this flaw to
perform XSS attacks against other Horizon users. (CVE-2014-3473)
It was found that network names were not sanitized. A malicious user could
use this flaw to perform XSS attacks against other Horizon users by
creating a network with a specially crafted name. (CVE-2014-3474)
It was found that certain email addresses were not sanitized. An
administrator could use this flaw to perform XSS attacks against other
Horizon users by storing an email address that has a specially crafted
name. (CVE-2014-3475)
Red Hat would like to thank the OpenStack project for reporting these
issues. Upstream acknowledges Jason Hullinger from Hewlett Packard as the
original reporter of CVE-2014-3473, Craig Lorentzen from Cisco as the
original reporter of CVE-2014-3474, and Michael Xin from Rackspace as the
original reporter of CVE-2014-3475.
This update also fixes the following bugs:
Lastly, this update also adds the following enhancement:
All python-django-horizon users are advised to upgrade to these updated
packages, which correct these issues and add this enhancement.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | 7 | noarch | openstack-dashboard-theme | < 2014.1.1-2.el7ost | openstack-dashboard-theme-2014.1.1-2.el7ost.noarch.rpm |
RedHat | 7 | noarch | python-django-horizon-doc | < 2014.1.1-2.el7ost | python-django-horizon-doc-2014.1.1-2.el7ost.noarch.rpm |
RedHat | 7 | noarch | python-django-horizon | < 2014.1.1-2.el7ost | python-django-horizon-2014.1.1-2.el7ost.noarch.rpm |
RedHat | 7 | noarch | openstack-dashboard | < 2014.1.1-2.el7ost | openstack-dashboard-2014.1.1-2.el7ost.noarch.rpm |
RedHat | 7 | src | python-django-horizon | < 2014.1.1-2.el7ost | python-django-horizon-2014.1.1-2.el7ost.src.rpm |