3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
OpenStack Dashboard (horizon) provides administrators and users with a graphical interface to access, provision, and automate cloud-based resources. A cross-site scripting (XSS) flaw was found in the way orchestration templates were handled. An owner of such a template could use this flaw to perform XSS attacks against other Horizon users. (CVE-2014-3473) It was found that network names were not sanitized. A malicious user could use this flaw to perform XSS attacks against other Horizon users by creating a network with a specially crafted name. (CVE-2014-3474) It was found that certain email addresses were not sanitized. An administrator could use this flaw to perform XSS attacks against other Horizon users by storing an email address that has a specially crafted name. (CVE-2014-3475) A persistent cross-site scripting (XSS) flaw was found in the horizon host aggregate interface. A user with sufficient privileges to add a host aggregate could potentially use this flaw to capture the credentials of another user. (CVE-2014-3594) Red Hat would like to thank the OpenStack project for reporting these issues. Upstream acknowledges Jason Hullinger from Hewlett Packard as the original reporter of CVE-2014-3473, Craig Lorentzen from Cisco as the original reporter of CVE-2014-3474, Michael Xin from Rackspace as the original reporter of CVE-2014-3475, and Dennis Felsch and Mario Heiderich from the Horst Grtz Institute for IT-Security, Ruhr-University Bochum as the original reporter of CVE-2014-3594. All python-django-horizon users are advised to upgrade to these updated packages, which correct these issues.
lists.opensuse.org/opensuse-updates/2015-01/msg00040.html
www.openwall.com/lists/oss-security/2014/07/08/6
www.securityfocus.com/bid/68460
access.redhat.com/errata/RHSA-2014:0939
access.redhat.com/errata/RHSA-2014:1188
access.redhat.com/security/cve/CVE-2014-3474
access.redhat.com/security/updates/classification/#moderate
bugs.launchpad.net/horizon/+bug/1322197
bugzilla.redhat.com/show_bug.cgi?id=1116090
review.openstack.org/#/c/105477
rhn.redhat.com/errata/RHSA-2014-1188.html