931437 – (CVE-2015-3988) VUL-0: CVE-2015-3988: openstack-dashboard: Persistent XSS in Horizon metadata dashboard

Bug 931437 (CVE-2015-3988) - VUL-0: CVE-2015-3988: openstack-dashboard: Persistent XSS in Horizon metadata dashboard

Summary: VUL-0: CVE-2015-3988: openstack-dashboard: Persistent XSS in Horizon metadata...

Status:	RESOLVED FIXED

Alias:	CVE-2015-3988

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Deadline:	2015-06-19
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/116815/
Whiteboard:	maint:running:61888:moderate CVSSv2:R...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-05-19 09:27 UTC by Alexander Bergmann
Modified:	2015-11-24 12:45 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2015-05-19 09:27:19 UTC

CVE-2015-3988

launchpad.net Bug Description:
-----------------------------------------------------
1) Start up Horizon
2) Go to Images
3) Next to an image, pick "Update Metadata"
4) From the dropdown button, select "Update Metadata"
5) In the Custom box, enter a value with some HTML like '</script><script>alert(1)</script>//', click +
6) On the right-hand side, give it a value, like "ee"
7) Click "Save"
8) Pick "Update Metadata" for the image again, the page will fail to load, and the JavaScript console says:

SyntaxError: invalid property id
var existing_metadata = {"

An alternative is if you change the URL to update_metadata for the image (for example, http://192.168.122.239/admin/images/fa62ba27-e731-4ab9-8487-f31bac355b4c/update_metadata/), it will actually display the alert box and a bunch of junk.

I'm not sure if update_metadata is actually a page, though... can't figure out how to get to it other than typing it in.
-----------------------------------------------------

References:
http://www.openwall.com/lists/oss-security/2015/05/12/9
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3988
http://seclists.org/oss-sec/2015/q2/463
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3988.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3988
https://bugs.launchpad.net/horizon/+bug/1449260

Comment 1 Swamp Workflow Management 2015-05-19 22:00:54 UTC

bugbot adjusting priority

Comment 2 Swamp Workflow Management 2015-06-05 13:05:30 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-06-19.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61888

Comment 3 Bernhard Wiedemann 2015-06-09 07:44:20 UTC

https://review.openstack.org/#/q/I4821eacb0bb274befab7995f3a8f87c82d3997f5,n,z

fixes and refs added to Master, Kilo, Juno

Comment 5 Vincent Untz 2015-10-12 08:31:13 UTC

Submitted in mr#73509.

Comment 6 Swamp Workflow Management 2015-11-20 16:13:37 UTC

SUSE-SU-2015:2064-1: An update that solves two vulnerabilities and has 7 fixes is now available.

Category: security (moderate)
Bug References: 928891,931437,933607,933722,935442,936059,936368,945052,945515
CVE References: CVE-2015-3219,CVE-2015-3988
Sources used:
SUSE OpenStack Cloud 5 (src):    crowbar-barclamp-nova_dashboard-1.9+git.1443622531.b2b2939-9.3, openstack-dashboard-2014.2.4~a0~dev12-13.2, python-django_openstack_auth-1.1.7-11.3

Comment 7 Bernhard Wiedemann 2015-11-24 12:45:31 UTC

update was released