22 matches found
CVE-2016-4428
OpenStack Horizon (Dashboard) is affected by an XSS vulnerability (CVE-2016-4428) present in Horizon 8.0.1 and earlier and 9.0.0–9.0.1. The issue arises from injecting an AngularJS template into a dashboard form, allowing a remote authenticated user to inject arbitrary script/HTML. Impact reporte...
CVE-2012-5474
Affected software : Red Hat OpenStack Platform 2.0 and RHOS Essex Release (python-django-horizon package before 2012.1.1). Vulnerability : the file /etc/openstack-dashboard/local_settings is world readable, exposing the secret key value. Impact (as described) : exposure of secret key information;...
CVE-2015-3219
CVE-2015-3219 is a cross-site scripting (XSS) vulnerability in OpenStack Horizon’s Horizon Orchestration/Stack UI. The flaw allows an attacker to inject script via the description parameter in a heat template, due to improper handling in the Field class’s help_text. Affected: OpenStack Dashboard ...
CVE-2020-29565
An OpenStack Horizon vulnerability (CVE-2020-29565) arises from insufficient validation of the next URL parameter, allowing an attacker to trigger an automatic redirect to a malicious URL. Affected Horizon branches include pre-15.3.2, 16.x pre-16.2.1, 17.x and 18.x pre-18.3.3, as well as 18.4.x a...
CVE-2014-3474
CVE-2014-3474 is a cross-site scripting (XSS) vulnerability in horizon/static/horizon/js/horizon.instances.js within the Launch Instance menu of the OpenStack Dashboard (Horizon). The affected scope includes Horizon releases before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2. The vul...
CVE-2012-3540
The CVE-2012-3540 issue is an open redirect flaw in OpenStack Horizon Essex (2012.1) affecting the login flow. The vulnerability occurs in views/auth_forms.py (auth/login/) where a next parameter can redirect victims to arbitrary sites, enabling phishing after login. Affected Horizon versions req...
CVE-2017-7400
CVE-2017-7400 affects OpenStack Horizon (9.x–11.0.0). A cross-site scripting (XSS) flaw allows remote authenticated administrators to inject malicious script via a crafted federation mapping. Affected horizon components include the dashboard UI; exploitation requires federation mapping to be enab...
CVE-2012-2094
CVE-2012-2094 is an OpenStack Horizon XSS vulnerability in the refresh mechanism of the log viewer (horizon/static/horizon/js/horizon.js) affecting folsom-1 and 2012.1 and earlier. The underlying issue allows remote attackers to inject arbitrary script or HTML via the guest console. Documents pro...
CVE-2022-45582
CVE-2022-45582 describes an Open Redirect vulnerability in Horizon Web Dashboard (OpenStack) versions 19.4.0–20.1.4 exploitable via the success_url parameter. The issue is a redirect bypass/validation flaw that could enable phishing or credential-reuse scenarios if an attacker can redirect users ...
CVE-2014-3475
CVE-2014-3475 is an XSS issue in the OpenStack Horizon Users panel (admin/users/). Affected software: OpenStack Horizon before 2013.2.4, OpenStack Horizon 2014.1 before 2014.1.2, and Horizon in the Juno series before Juno-2. Root cause: cross-site scripting via a user email address allows injecti...
CVE-2012-3542
CVE-2012-3542 affects OpenStack Keystone as used in OpenStack Folsom (before folsom-rc1) and Essex (2012.1). The vulnerability arises in the identity service API where a remote attacker can cause an arbitrary user to be added to an arbitrary tenant by updating the user’s default tenant via the ad...
CVE-2012-3426
OpenStack Keystone before version 2012.1.1 (as used in Folsom before Folsom-1 and Essex) does not properly enforce token expiration, allowing remote authenticated users to bypass authorization by: (1) chaining tokens to create new ones, (2) using a token from a disabled account, or (3) using a to...
CVE-2014-3473
The CVE-2014-3473 entry describes a Cross-site scripting (XSS) vulnerability in the Horizon Orchestration dashboard’s Orchestration/Stack area when used with Heat. Affected versions are Horizon before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2. The issue allows remote Orchestration ...
CVE-2012-5476
OpenStack RHOS Essex Preview (2012.2) dashboard package contains a vulnerability where /etc/quantum/quantum.conf is world readable, exposing the admin password and token value. Affected component: OpenStack dashboard configuration on RHOS Essex Preview 2012.2. Root cause: file permissions misconf...
CVE-2014-0157
CVE-2014-0157 is an XSS in Horizon (OpenStack Dashboard) via the Heat template description field, affecting OpenStack Horizon 2013.2 before 2013.2.4 and Icehouse before icehouse-rc2. Consequence: remote attacker could inject arbitrary script/HTML. Remediation: apply the Horizon fixes (e.g., updat...
CVE-2014-8124
CVE-2014-8124 affects OpenStack Horizon (Dashboard) prior to the 2014.1.3 series and the 2014.2.x series before 2014.2.1 when using db or memcached session engines. The issue is a denial of service caused by improper handling of session records, allowing an attacker to generate a large number of ...
CVE-2014-8578
CVE-2014-8578 : XSS in the OpenStack Horizon Groups panel (remote administrators) via a user email address, affecting Horizon before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2. Root cause: input handling flaw enables arbitrary script/HTML injection. Connected sources confirm the sam...
CVE-2014-3594
CVE-2014-3594 affects OpenStack Horizon (Host Aggregates UI). The vulnerability allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name in the Host Aggregates interface, affecting Horizon releases before 2013.2.4, 2014.1 before 2014.1.2, and Juno before J...
CVE-2013-6858
CVE-2013-6858 affects OpenStack Horizon (OpenStack Dashboard) 2013.2 and earlier. The root cause is improper sanitization of the Instance Name, enabling cross-site scripting (XSS) on the Volumes and Network Topology pages. Multiple advisories (Ubuntu USN-2062-1, Red Hat RHSA-2014:0365, Debian/OSV...
CVE-2012-2144
CVE-2012-2144 : Session fixation in OpenStack Horizon (folsom-1 and 2012.1) allows remote attackers to hijack web sessions via the sessionid cookie. Vulnerable component: Horizon UI. Impact: session hijacking via cookie manipulation. Root cause: session fixation through sessionid handling as desc...
CVE-2015-3988
OpenStack Horizon vulnerability CVE-2015-3988 involves multiple XSS flaws in the Horizon dashboard (OpenStack Dashboard), exploitable when metadata is supplied to Glance images, Nova flavors, or Host Aggregates. Affected software is OpenStack Horizon (version 2015.1.0) with remote authentication ...
CVE-2013-4471
CVE-2013-4471 concerns the Identity v3 API in OpenStack Dashboard (Horizon) prior to 2013.2, where the password-change flow does not require the current password, allowing an attacker with a valid authentication token to change a user’s password. Affected component: Horizon’s Identity v3 password...