OpenStack Security Advisory

XSS in adding JavaScript into the ‘Subnet Name’ field

Bug #1900872 reported by Dorina Timbur on 2020-10-21

This bug report is a duplicate of: Bug #1892848: XSS in adding JavaScript into the ‘Subnet Name’ field. Edit Remove

262

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	New	Undecided	Unassigned
	OpenStack Security Advisory	Incomplete	Undecided	Unassigned

Bug Description

As part of a penetration test done by a third party on a customer environment, it was found that by adding JavaScript into the ‘Subnet Name’ field, the JavaScript would trigger
when adding the network to an instance and then loading a network trunk.
The user needs permissions to create a network and edit an instance for this to trigger.
See attached screenshots for more details.
This is susceptible to a Cross-Site Scripting (XSS) vulnerability.

See original description

Tags:

Revision history for this message

Dorina Timbur (dorina-t) wrote on 2020-10-21:

#1

xss1.png Edit (39.9 KiB, image/png)

Revision history for this message

Dorina Timbur (dorina-t) wrote on 2020-10-21:

#2

xss2.png Edit (45.1 KiB, image/png)

Jeremy Stanley (fungi) on 2020-10-21

Changed in ossa:
status:	New → Incomplete

Revision history for this message

Jeremy Stanley (fungi) wrote on 2020-10-21:

#3

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.

description:

updated

Revision history for this message

Dorina Timbur (dorina-t) wrote on 2020-10-26:

#4

Hi, this is the first time I've raised a potential security vulnerability bug, so if there's any additional information to provide, please let me know.

Revision history for this message

Jeremy Stanley (fungi) wrote on 2020-10-26:

#5

At this point we're waiting for the Horizon project's security reviewers to help confirm the reported defect and idenify the extent of its impact. If they don't chime in soon I'll reach out to them directly in an attempt to get some resolution.

Revision history for this message

Jeremy Stanley (fungi) wrote on 2021-08-03:

#6

We missed setting this to Public Security at the expiration of its embargo in January because it's set as a duplicate. I've switched it to Public Security now.

information type:	Private Security → Public Security
description:	updated

Revision history for this message

Vishal Manchanda (vishalmanchanda) wrote on 2021-08-03:

#7

hi @dorina-t, Could you please more information about the steps to reproduce this bug?

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicate of bug #1892848 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.