1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
PublicDateAtUSN: 2014-07-09
Candidate: CVE-2014-3474
PublicDate: 2014-10-31
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3474
https://marc.info/?l=oss-security&m=140483587504490&w=2
http://www.ubuntu.com/usn/usn-2323-1
Description:
Cross-site scripting (XSS) vulnerability in
horizon/static/horizon/js/horizon.instances.js in the Launch Instance menu
in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2,
and Juno before Juno-2 allows remote authenticated users to inject
arbitrary web script or HTML via a network name.
Ubuntu-Description:
Notes:
mdeslaur> same patches as CVE-2014-3473
mdeslaur> introduced by:
mdeslaur> https://review.openstack.org/gitweb?p=openstack/horizon.git;h=8914ed95
Bugs:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754255
https://bugs.launchpad.net/horizon/+bug/1322197
https://bugs.launchpad.net/ubuntu/+source/nova/+bug/1354159 (2014.1.2)
Priority: medium
Discovered-by: Craig Lorentzen
Assigned-to: jdstrand
Patches_horizon:
upstream_horizon: released (2013.2.4,2014.1.2,2014.1.1-3)
lucid_horizon: DNE
precise_horizon: not-affected (2012.1.3+stable-20130423-5ce39422-0ubuntu1)
saucy_horizon: ignored (reached end-of-life)
trusty_horizon: released (1:2014.1.2-0ubuntu1)
devel_horizon: not-affected (1:2014.2~b2-0ubuntu1)
|