Horizon-Orchestration Cross-site scripting (XSS) vulnerability through resource name

Description

Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in the Horizon Orchestration dashboard in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2, when used with Heat, allows remote Orchestration template owners or catalogs to inject arbitrary web script or HTML via a crafted template.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Source code
Browse source ↗
Published (advisory)
2022-05-13 01:11:29 UTC
Updated
2023-10-19 17:46:51 UTC
GitHub reviewed
2023-10-19 17:46:51 UTC
NVD published
2014-10-31

EPSS Score

Score Percentile
0.40% 60.52%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

CWEs

CWE id Name
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
pip horizon < 8.0.0a0 8.0.0a0

References

cvelogic Threat Intelligence