1
Candidate: CVE-2015-3219
4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3219
5
http://lists.openstack.org/pipermail/openstack-announce/2015-June/000361.html
7
Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section
8
in OpenStack Dashboard (Horizon) 2014.2 before 2014.2.4 and 2015.1.x before
9
2015.1.1 allows remote attackers to inject arbitrary web script or HTML via
10
the description parameter in a heat template, which is not properly handled
11
in the help_text attribute in the Field class.
14
mdeslaur> will not be fixed before 14.10 goes EoL
15
mdeslaur> bug and review url says icehouse isn't affected
17
https://launchpad.net/bugs/1453074
18
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=788306
20
Discovered-by: Nikita Konovalov
24
upstream: https://review.openstack.org/#/c/189985/ (icehouse)
25
upstream: https://review.openstack.org/189821 (juno)
26
upstream: https://review.openstack.org/189822 (kilo)
27
upstream: https://review.openstack.org/189820 (liberty)
28
upstream_horizon: released (2015.1.1)
29
precise_horizon: not-affected (code not present)
30
trusty_horizon: not-affected (1:2014.1.5-0ubuntu1)
31
utopic_horizon: ignored (reached end-of-life)
32
vivid_horizon: not-affected (1:2015.1.1-0ubuntu1)
33
devel_horizon: not-affected (2:8.0.0~b3-0ubuntu1)