Headline
CVE-2014-125078: Fix multiple Cross-Site Scripting (XSS) vulnerabilities. · yanheven/console@32a7b71
A vulnerability was found in yanheven console and classified as problematic. Affected by this issue is some unknown functionality of the file horizon/static/horizon/js/horizon.instances.js. The manipulation leads to cross site scripting. The attack may be launched remotely. The name of the patch is 32a7b713468161282f2ea01d5e2faff980d924cd. It is recommended to apply a patch to fix this issue. VDB-218354 is the identifier assigned to this vulnerability.
Permalink
Browse files
Fix multiple Cross-Site Scripting (XSS) vulnerabilities.
* Ensure user emails are properly escaped
User emails in the Users and Groups panel are being passed through the urlize filter to transform them into clickable links. However, urlize expects input to be already escaped and safe. We should make sure to escape the strings first as email addresses are not validated and can contain any type of string.
Closes-Bug: #1320235
* Ensure network names are properly escaped in the Launch Instance menu
Closes-Bug: #1322197
* Escape the URLs generated for the Horizon tables
When generating the Horizon tables, there was an assumption that only the anchor text needed to be escaped. However some URLs are generated based on user-provided data and should be escaped as well. Also escape the link attributes for good measure.
* Use ‘reverse’ to generate the Resource URLs in the stacks tables
Closes-Bug: #1308727
Change-Id: Ic8a92e69f66c2d265a802f350e30f091181aa42e
- Loading branch information