Bug 933722 - (CVE-2015-3219) VUL-0: CVE-2015-3219: openstack-dashboard: XSS in Horizon Heat stack creation
VUL-0: CVE-2015-3219: openstack-dashboard: XSS in Horizon Heat stack creation
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:running:61888:moderate CVSSv2:N...
Depends on:
  Show dependency treegraph
Reported: 2015-06-05 08:11 UTC by Andreas Stieger
Modified: 2016-04-27 19:39 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

cve-2015-3219-stable-kilo.patch (1.55 KB, patch)
2015-06-05 08:13 UTC, Andreas Stieger
Details | Diff
cve-2015-3219-stable-juno.patch (1.55 KB, patch)
2015-06-05 08:13 UTC, Andreas Stieger
Details | Diff
cve-2015-3219-master-liberty.patch (1.55 KB, patch)
2015-06-05 08:14 UTC, Andreas Stieger
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Andreas Stieger 2015-06-05 08:13:10 UTC
Created attachment 636852 [details]
Comment 2 Andreas Stieger 2015-06-05 08:13:37 UTC
Created attachment 636853 [details]
Comment 3 Andreas Stieger 2015-06-05 08:14:04 UTC
Created attachment 636854 [details]
Comment 4 Swamp Workflow Management 2015-06-05 13:05:20 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-06-19.
When done, reassign the bug to security-team@suse.de.
Comment 5 Swamp Workflow Management 2015-06-05 22:00:26 UTC
bugbot adjusting priority
Comment 6 Andreas Stieger 2015-06-15 11:07:54 UTC
Public via https://security.openstack.org/ossa/OSSA-2015-010.html

OSSA-2015-010: XSS in Horizon Heat stack creation
Date:	June 09, 2015
CVE:	CVE-2015-3219
Affects: Horizon: 2014.2 versions through 2014.2.3 and version 2015.1.0


Nikita Konovalov from Mirantis reported a vulnerability in Horizon. By tricking a Horizon user into using a malicious template in the Orchestration/Stack section of Horizon, a remote attacker may trigger a cross-site-scripting vulnerability during the stack creation. It may result in potential assets theft like user access credentials. Only setups exposing the orchestration dashboard in Horizon are affected.

    https://review.openstack.org/189821 (Juno)
    https://review.openstack.org/189822 (Kilo)
    https://review.openstack.org/189820 (Liberty)


    Nikita Konovalov from Mirantis (CVE-2015-3219)




    This fix will be included in future 2014.2.4 (juno) and 2015.1.1 (kilo) releases.
Comment 8 Vincent Untz 2015-10-12 08:31:54 UTC
Submitted in mr#73509.
Comment 9 Swamp Workflow Management 2015-11-20 16:14:00 UTC
SUSE-SU-2015:2064-1: An update that solves two vulnerabilities and has 7 fixes is now available.

Category: security (moderate)
Bug References: 928891,931437,933607,933722,935442,936059,936368,945052,945515
CVE References: CVE-2015-3219,CVE-2015-3988
Sources used:
SUSE OpenStack Cloud 5 (src):    crowbar-barclamp-nova_dashboard-1.9+git.1443622531.b2b2939-9.3, openstack-dashboard-2014.2.4~a0~dev12-13.2, python-django_openstack_auth-1.1.7-11.3
Comment 10 Marcus Meissner 2016-02-10 07:35:42 UTC