{ "threat_severity" : "Moderate", "public_date" : "2015-05-01T00:00:00Z", "bugzilla" : { "description" : "python-django-horizon: persistent XSS in Horizon metadata dashboard", "id" : "1222871", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1222871" }, "cvss" : { "cvss_base_score" : "4.3", "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:N/I:P/A:N", "status" : "verified" }, "cwe" : "CWE-79", "details" : [ "Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2015.1.0 allow remote authenticated users to inject arbitrary web script or HTML via the metadata to a (1) Glance image, (2) Nova flavor or (3) Host Aggregate.", "A flaw was discovered in the OpenStack dashboard (horizon) handling of metadata. Potentially untrusted data was displayed from OpenStack Image service (glance) images, OpenStack Compute (nova) flavors, or host aggregates without correct sanitization. The flaw could be used by an authenticated user to conduct an XSS attack." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7", "release_date" : "2015-08-24T00:00:00Z", "advisory" : "RHSA-2015:1679", "cpe" : "cpe:/a:redhat:openstack:6::el7", "package" : "python-django-horizon-0:2014.2.3-7.el7ost" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)", "fix_state" : "Not affected", "package_name" : "python-django-horizon", "cpe" : "cpe:/a:redhat:openstack:5::el6" }, { "product_name" : "Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)", "fix_state" : "Not affected", "package_name" : "python-django-horizon", "cpe" : "cpe:/a:redhat:openstack:7" }, { "product_name" : "Red Hat OpenStack Platform 4", "fix_state" : "Not affected", "package_name" : "python-django-horizon", "cpe" : "cpe:/a:redhat:openstack:4" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2015-3988\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-3988" ], "name" : "CVE-2015-3988", "csaw" : false }