CVE-2015-3219

Name of the Vulnerable Software and Affected Versions OpenStack Dashboard (Horizon) versions 2014.2 through 2014.2.3 OpenStack Dashboard (Horizon) versions 2015.1.x before 2015.1.1

Description A cross-site scripting (XSS) issue exists due to improper handling of the description parameter in a heat template, which allows remote attackers to inject arbitrary web script or HTML. This occurs because the help text attribute in the Field class does not properly handle the input.

Recommendations For OpenStack Dashboard (Horizon) versions 2014.2 through 2014.2.3, update to version 2014.2.4 or later. For OpenStack Dashboard (Horizon) versions 2015.1.x before 2015.1.1, update to version 2015.1.1 or later. As a temporary workaround, consider restricting access to the heat template description parameter to minimize the risk of exploitation.