Nikita Konovalov

**Name of the Vulnerable Software and Affected Versions** OpenStack Dashboard (Horizon) versions 2014.2 through 2014.2.3 OpenStack Dashboard (Horizon) versions 2015.1.x before 2015.1.1 **Description** A cross-site scripting (XSS) issue exists due to improper handling of the `description` parameter in a heat template, which allows remote attackers to inject arbitrary web script or HTML. This occurs because the `help text` attribute in the Field class does not properly handle the input. **Recommendations** For OpenStack Dashboard (Horizon) versions 2014.2 through 2014.2.3, update to version 2014.2.4 or later. For OpenStack Dashboard (Horizon) versions 2015.1.x before 2015.1.1, update to version 2015.1.1 or later. As a temporary workaround, consider restricting access to the heat template description parameter to minimize the risk of exploitation.