Bug 853043 (CVE-2013-6406) - VUL-0: CVE-2013-6406: openstack-dashboard: persistent xss
Summary: VUL-0: CVE-2013-6406: openstack-dashboard: persistent xss
Status: RESOLVED DUPLICATE of bug 852175
Alias: CVE-2013-6406
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Vincent Untz
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-11-30 09:52 UTC by Marcus Meissner
Modified: 2013-12-04 14:06 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-11-30 09:52:19 UTC 
CVE-2013-6406

(not fully clear which package)

Chris Chapman of Cisco PSIRT reports:

The OpenStack web user interface (horizon) is vulnerable to XSS:

While launching (or editing) an instance, injecting <script> tags in
the instance name results in the javascript being executed on the
"Volumes" and the "Network Topology" page. This is a classic Stored
XSS vulnerability.

External reference:
https://bugs.launchpad.net/ossa/+bug/1247675
https://review.openstack.org/58465
http://github.com/openstack/horizon/commit/6179f70290783e55b10bbd4b3b7ee74db3f8ef70
https://bugzilla.redhat.com/show_bug.cgi?id=1035907
Comment 1 Swamp Workflow Management 2013-11-30 23:00:36 UTC 
bugbot adjusting priority
Comment 2 Alexander Bergmann 2013-12-04 14:06:30 UTC 
CVE-2013-6406 was REJECTED as it is a duplicate of CVE-2013-6858.

Marking this bug as duplicated of:

Bug 852175 - VUL-0: CVE-2013-6858: openstack-dashboard: Multiple cross-site scripting (XSS) vulnerabilities

*** This bug has been marked as a duplicate of bug 852175 ***