Canonical · Ubuntu Metal As A Service · CVE-2013-1070
**Name of the Vulnerable Software and Affected Versions**
Ubuntu Metal as a Service (MaaS) versions 1.2 through 1.4
**Description**
A cross-site scripting (XSS) issue exists in the API, allowing remote attackers to inject arbitrary web script or HTML via the `op` parameter to the "nodes/" API endpoint.
**Recommendations**
For versions 1.2 through 1.4, consider restricting access to the "nodes/" API endpoint until a fix is available, and avoid using the `op` parameter in this endpoint to minimize the risk of exploitation.