Cross-site scripting (XSS) vulnerability in OpenStack Dashboard (Horizon) 8.0.1 and earlier and 9.0.0 through 9.0.1 allows remote authenticated users to inject arbitrary web script or HTML by injecting an AngularJS template in a dashboard form.
References
Link | Resource |
---|---|
http://www.debian.org/security/2016/dsa-3617 | Third Party Advisory |
http://www.openwall.com/lists/oss-security/2016/06/17/4 | Mailing List Patch Third Party Advisory |
https://access.redhat.com/errata/RHSA-2016:1268 | Third Party Advisory |
https://access.redhat.com/errata/RHSA-2016:1269 | Third Party Advisory |
https://access.redhat.com/errata/RHSA-2016:1270 | Third Party Advisory |
https://access.redhat.com/errata/RHSA-2016:1271 | Third Party Advisory |
https://access.redhat.com/errata/RHSA-2016:1272 | Third Party Advisory |
https://bugs.launchpad.net/horizon/+bug/1567673 | Issue Tracking Third Party Advisory |
https://review.openstack.org/329996 | Patch Vendor Advisory |
https://review.openstack.org/329997 | Patch Vendor Advisory |
https://review.openstack.org/329998 | Patch Vendor Advisory |
https://security.openstack.org/ossa/OSSA-2016-010.html | Patch Vendor Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
AND |
|
Configuration 4 (hide)
|
History
12 Feb 2023, 23:20
Type | Values Removed | Values Added |
---|---|---|
Summary | Cross-site scripting (XSS) vulnerability in OpenStack Dashboard (Horizon) 8.0.1 and earlier and 9.0.0 through 9.0.1 allows remote authenticated users to inject arbitrary web script or HTML by injecting an AngularJS template in a dashboard form. | |
References |
|
02 Feb 2023, 21:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | A DOM-based, cross-site scripting vulnerability was found in the OpenStack dashboard, where user input was not filtered correctly. An authenticated dashboard user could exploit the flaw by injecting an AngularJS template into a dashboard form (for example, using an image's description), triggering the vulnerability when another user browsed the affected page. As a result, this flaw could result in user accounts being compromised (for example, user-access credentials being stolen). |
04 Aug 2021, 17:15
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:redhat:openstack:8:*:*:*:*:*:*:* |
09 Mar 2021, 15:08
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:* |
|
References | (DEBIAN) http://www.debian.org/security/2016/dsa-3617 - Third Party Advisory | |
References | (CONFIRM) https://review.openstack.org/329997 - Patch, Vendor Advisory | |
References | (CONFIRM) https://review.openstack.org/329998 - Patch, Vendor Advisory | |
References | (REDHAT) https://access.redhat.com/errata/RHSA-2016:1271 - Third Party Advisory | |
References | (CONFIRM) https://review.openstack.org/329996 - Patch, Vendor Advisory | |
References | (REDHAT) https://access.redhat.com/errata/RHSA-2016:1268 - Third Party Advisory | |
References | (CONFIRM) https://bugs.launchpad.net/horizon/+bug/1567673 - Issue Tracking, Third Party Advisory | |
References | (REDHAT) https://access.redhat.com/errata/RHSA-2016:1270 - Third Party Advisory | |
References | (REDHAT) https://access.redhat.com/errata/RHSA-2016:1269 - Third Party Advisory | |
References | (CONFIRM) https://security.openstack.org/ossa/OSSA-2016-010.html - Patch, Vendor Advisory | |
References | (MLIST) http://www.openwall.com/lists/oss-security/2016/06/17/4 - Mailing List, Patch, Third Party Advisory | |
References | (REDHAT) https://access.redhat.com/errata/RHSA-2016:1272 - Third Party Advisory |
Information
Published : 2016-07-12 19:59
Updated : 2023-12-10 11:46
NVD link : CVE-2016-4428
Mitre link : CVE-2016-4428
CVE.ORG link : CVE-2016-4428
JSON object : View
Products Affected
redhat
- openstack
- enterprise_linux
openstack
- horizon
debian
- debian_linux
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')