The error reporting in Horizon for creating a new network is susceptible to a Cross-Site Scripting vulnerability. Example request/response:
Request
POST /project/networks/create HTTP/1.1
...
csrfmiddlewaretoken=6MGUvp62x8c6GU7TfRXQLZERmJuN7nXT&net_profile_id=<img src=zz onerror=alert(1)>&net_name=foobar&admin_state=True&with_subnet=on&subnet_name=&cidr=&ip_version=4&gateway_ip=&enable_dhcp=on&ipv6_modes=none%2Fnone&allocation_pools=&dns_nameservers=&host_routes=
Response
HTTP/1.1 200 OK
Date: Tue, 03 Feb 2015 20:42:28 GMT
Server: Apache/2.4.10 (Debian)
Vary: Accept-Language,Cookie
X-Frame-Options: SAMEORIGIN
Content-Language: en
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json
Content-Length: 209
{"has_errors": true, "errors": {"createnetworkinfoaction": {"net_profile_id": ["Select a valid choice. <img src=zz onerror=alert(1)> is not one of the available choices."]}}, "workflow_slug": "create_network"}
In the above example if the net_profile_id does not exist, the json response contains the user input and Horizon echo's it out. Although it would be difficult to exploit this vulnerability because an attacker would need to manipulate the hidden HTML net_profile_id parameter or the POST body, Horizon should still HTML encode the output.
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.