Cross-Site Request Forgery (CSRF) in keystone

Versions of keystone prior to 4.0.0 are vulnerable to Cross-Site Request Forgery CSRF. The package fails to validate the presence of the X-CSRF-Token header, which may allow attackers to carry actions on behalf of other users on all endpoints. Recommendation Update to version 4.0.0 or later...

GHSA-7CV6-GVX3-M54M Cross-Site Scripting in keystone

Versions of keystone prior to 4.0.0 are vulnerable to Cross-Site Scripting XSS. The package fails to properly encode rendered HTML on admin-created blog posts. This allows attackers to execute arbitrary JavaScript in the victim's browser. Exploiting this vulnerability requires having access to an...

Cross-Site Scripting in keystone

Versions of keystone prior to 4.0.0 are vulnerable to Cross-Site Scripting XSS. The package fails to properly encode rendered HTML on admin-created blog posts. This allows attackers to execute arbitrary JavaScript in the victim's browser. Exploiting this vulnerability requires having access to an...

act-copy (>=1.0.0 <=1.0.1), d-pac.cms (=0.5.7) +19 more potentially affected by CVE-2017-15878 via keystone (>=0.2.26 <=4.0.0-beta.4)

keystone NPM version =0.2.26, =1.0.0, =0.1.5, =0.1.3, =0.3.1, =0.0.9, =0.2.0, =0.0.1, =0.0.1, =1.0.2, =0.0.0, =0.1.0 and more Source cves: CVE-2017-15878 Source advisory: OSV:GHSA-7QCX-JMRC-H2RR...

GHSA-7QCX-JMRC-H2RR Cross-Site Scripting in keystone

Versions of keystone prior to 4.0.0 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize user input on the Contact Us page, allowing attackers to submit contact forms with malicious JavaScript in the message field. The output is not properly encoded leading an admin that open...

Cross-Site Scripting in keystone

Versions of keystone prior to 4.0.0 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize user input on the Contact Us page, allowing attackers to submit contact forms with malicious JavaScript in the message field. The output is not properly encoded leading an admin that open...

openstack-aodh: Aodh can be used to launder Keystone trusts

A verification flaw was found in openstack-aodh. As part of an HTTP alarm action, a user could pass in a trust ID. However, the trust could be from anyone because it was not verified. Because the trust was then used by openstack-aodh to obtain a keystone token for the alarm action, a malicious us...

Moderate: Red Hat Security Advisory: openstack-aodh security update

An update for openstack-aodh is now available for Red Hat OpenStack Platform 10.0 Newton. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

CVE-2017-16570

KeystoneJS before 4.0.0-beta.7 allows application-wide CSRF bypass by removing the CSRF parameter and value, aka SecureLayer7 issue number SL7KEYJS03. In other words, it fails to reject requests that lack an x-csrf-token header...

Cross-site Request Forgery (CSRF)

keystone is vulnerable to cross-site request forgery CSRF attacks. If a malicious request is made without the presence of CSRF headers/values, attackers are able to bypass the CSRF protections. This is because the library fails to validate a request which doesn't contain the x-csrf-token header...

Cross-site Scripting (XSS)

keystone is vulnerable to cross-site scripting XSS attacks. Authenticated administrators can leverage the lack of sanitization in the content brief and content extended fields to inject and execute arbitrary webscript...

CSV Injection

keystone is vulnerable to CSV injection attacks. These attacks are possible because of a mishandled value during the exporting of a CSV file...

Cross-site Scripting (XSS)

keystone is vulnerable to cross-site scripting XSS attacks. These attacks are possible through the fields/types/markdown/MarkdownType.js file because the markdown is not sanitized. This allows attackers to inject and execute arbitrary webscript...

Ubuntu: Security Advisory (USN-3448-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Ubuntu 16.04 LTS : OpenStack Keystone vulnerability (USN-3448-1)

The remote Ubuntu 16.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-3448-1 advisory. Boris Bobrov discovered that OpenStack Keystone incorrectly handled federation mapping when there are rules in which group-based assignments are not used. A remot...

USN-3448-1 keystone vulnerability

Boris Bobrov discovered that OpenStack Keystone incorrectly handled federation mapping when there are rules in which group-based assignments are not used. A remote authenticated user may receive all the roles assigned to a project regardless of the federation mapping, contrary to expectations...

USN-3448-1: OpenStack Keystone vulnerability

Boris Bobrov discovered that OpenStack Keystone incorrectly handled federation mapping when there are rules in which group-based assignments are not used. A remote authenticated user may receive all the roles assigned to a project regardless of the federation mapping, contrary to expectations...

SUSE-SU-2017:2627-1 Security update for openstack-aodh

This update for openstack-aodh fixes the following security issues: - CVE-2017-12440: Aodh did not verify that trust IDs belong to the user when creating alarm action with the scheme trust+http, which allowed remote authenticated users with knowledge of trust IDs where Aodh is the trustee to obta...

AngelFire: CIA Malware Infects System Boot Sector to Hack Windows PCs

A team of hackers at the CIA, the Central Intelligence Agency, allegedly used a Windows hacking tool against its targets to gain persistent remote access. As part of its Vault 7 leaks, WikiLeaks today revealed details about a new implant developed by the CIA, dubbed AngelFire, to target computers...

OpenStack Security Bypass Vulnerabilities

OpenStack is a cloud platform management project developed by the National Aeronautics and Space Administration in collaboration with Rackspace, U.S.A. Openstack Ocata and Newton are both different versions of it. aodh is one of the Aodh is one of the alerting function modules. Openstack Ocata an...