An update for python-django-horizon is now available for Red Hat EnterpriseLinux OpenStack Platform 5.0 (Icehouse) for RHEL 6.Red Hat Product Security has rated this update as having a security impact ofImportant.
A Common Vulnerability Scoring System (CVSS) base score, which givesa detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
OpenStack Dashboard (Horizon) provides administrators and users with agraphical interface to access, provision, and automate cloud-basedresources.Security Fix(es):* A DOM-based, cross-site scripting vulnerability was found in the OpenStackdashboard, where user input was not filtered correctly.
An authenticateddashboard user could exploit the flaw by injecting an AngularJS template into adashboard form (for example, using an image’s description), triggering thevulnerability when another user browsed the affected page.
As a result, thisflaw could result in user accounts being compromised (for example, user-accesscredentials being stolen). (CVE-2016-4428)Red Hat would like to thank the OpenStack project for reporting this issue.Upstream acknowledges Beth Lancaster (Virginia Tech) and Brandon Sawyers(Virginia Tech) as the original reporters.
Red Hat OpenStack 5.0 for RHEL 6
MD5: 19d0c6c70b63afc29aa97804abb54157SHA-256: c1ec2ddea43743441919fae2848823196e2685b7d279c62849c19858b081eef6
MD5: e8b568aaea7cc475ad12f09bca2f4ae4SHA-256: 4155690358a88955d57d1c5ff1e7e338c5625ae7f07607357fdc2911e5e7c627
MD5: 4e46e751eaf2d1c4fc19289b47c3644aSHA-256: 272ac991bd687a198140fb26da863fe40e168269e8c710c8d763374817827df4
MD5: ad95e65991903086f641843811249d97SHA-256: 9f3c8efe6af31fa6c1117ddec5740800a113f2ccc47d742c35238044533d5070
MD5: 485340f637bbf45f46c4eb7a0e1d04bdSHA-256: 2a2a593dfa09f960002074235d11d15a0461d3df61621e3fd23379f3bd49a074
(The unlinked packages above are only available from the Red Hat Network)
1343982 – CVE-2016-4428 python-django-horizon: XSS in client side template
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: