{
  "threat_severity" : "Moderate",
  "public_date" : "2014-07-08T00:00:00Z",
  "bugzilla" : {
    "description" : "openstack-horizon: multiple XSS flaws",
    "id" : "1116090",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1116090"
  },
  "cvss" : {
    "cvss_base_score" : "4.3",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:N/I:P/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-79",
  "details" : [ "Cross-site scripting (XSS) vulnerability in the Groups panel in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote administrators to inject arbitrary web script or HTML via a user email address, a different vulnerability than CVE-2014-3475.", "A cross-site scripting (XSS) flaw was found in the way orchestration templates were handled. An owner of such a template could use this flaw to perform XSS attacks against other Horizon users. (CVE-2014-3473)\nIt was found that network names were not sanitized. A malicious user could use this flaw to perform XSS attacks against other Horizon users by creating a network with a specially-crafted name. (CVE-2014-3474)\nIt was found that some email addresses were not sanitized. An administrator could use this flaw to perform XSS attacks against other Horizon users by storing an email address that has a specially-crafted name. (CVE-2014-3475)" ],
  "acknowledgement" : "Red Hat would like to thank OpenStack project for reporting this issue. Upstream acknowledges Craig Lorentzen (Cisco), Jason Hullinger (Hewlett Packard), and Michael Xin (Rackspace) as the original reporters.",
  "affected_release" : [ {
    "product_name" : "OpenStack 4 for RHEL 6",
    "release_date" : "2014-09-15T00:00:00Z",
    "advisory" : "RHSA-2014:1188",
    "cpe" : "cpe:/a:redhat:openstack:4::el6",
    "package" : "python-django-horizon-0:2013.2.3-3.el6ost"
  }, {
    "product_name" : "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
    "release_date" : "2014-07-24T00:00:00Z",
    "advisory" : "RHSA-2014:0939",
    "cpe" : "cpe:/a:redhat:openstack:5::el7",
    "package" : "python-django-horizon-0:2014.1.1-2.el7ost"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenStack Platform 3",
    "fix_state" : "Will not fix",
    "package_name" : "python-django-horizon",
    "cpe" : "cpe:/a:redhat:openstack:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-8578\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-8578" ],
  "name" : "CVE-2014-8578",
  "csaw" : false
}