Cross-site Scripting (XSS)

OpenStack Dashboard (horizon) provides administrators and users with a graphical interface to access, provision, and automate cloud-based resources. A cross-site scripting (XSS) flaw was found in the way orchestration templates were handled. An owner of such a template could use this flaw to perform XSS attacks against other Horizon users. (CVE-2014-3473) It was found that network names were not sanitized. A malicious user could use this flaw to perform XSS attacks against other Horizon users by creating a network with a specially crafted name. (CVE-2014-3474) It was found that certain email addresses were not sanitized. An administrator could use this flaw to perform XSS attacks against other Horizon users by storing an email address that has a specially crafted name. (CVE-2014-3475) A persistent cross-site scripting (XSS) flaw was found in the horizon host aggregate interface. A user with sufficient privileges to add a host aggregate could potentially use this flaw to capture the credentials of another user. (CVE-2014-3594) Red Hat would like to thank the OpenStack project for reporting these issues. Upstream acknowledges Jason Hullinger from Hewlett Packard as the original reporter of CVE-2014-3473, Craig Lorentzen from Cisco as the original reporter of CVE-2014-3474, Michael Xin from Rackspace as the original reporter of CVE-2014-3475, and Dennis Felsch and Mario Heiderich from the Horst Grtz Institute for IT-Security, Ruhr-University Bochum as the original reporter of CVE-2014-3594. All python-django-horizon users are advised to upgrade to these updated packages, which correct these issues.