CVE-2016-4428
MEDIUMOpenStack Horizon < 8.0.1 and 9.0.0-9.0.1 - Authenticated Cross-Site Scripting via AngularJS Template Injection
Title source: llmDescription
Cross-site scripting (XSS) vulnerability in OpenStack Dashboard (Horizon) 8.0.1 and earlier and 9.0.0 through 9.0.1 allows remote authenticated users to inject arbitrary web script or HTML by injecting an AngularJS template in a dashboard form.
References (12)
Core 12
Core References
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2016:1268
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2016:1270
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2016/dsa-3617
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2016:1272
Patch, Vendor Advisory x_refsource_confirm
https://security.openstack.org/ossa/OSSA-2016-010.html
Patch, Vendor Advisory x_refsource_confirm
https://review.openstack.org/329997
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugs.launchpad.net/horizon/+bug/1567673
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2016:1269
Mailing List, Patch, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/06/17/4
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2016:1271
Patch, Vendor Advisory x_refsource_confirm
https://review.openstack.org/329998
Patch, Vendor Advisory x_refsource_confirm
https://review.openstack.org/329996
Scores
CVSS v3
5.4
EPSS
0.0055
EPSS Percentile
68.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (10)
debian/debian_linux
8.0
debian/debian_linux
9.0
openstack/horizon
9.0.0
openstack/horizon
9.0.1
openstack/horizon
8.0.0 - 8.0.1
pypi/horizon
0 - 8.0.2PyPI
redhat/openstack
6.0
redhat/openstack
7.0
redhat/openstack
8
redhat/openstack
5.0
Published
Jul 12, 2016
Tracked Since
Feb 18, 2026