{"id":"PYSEC-2015-40","details":"Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in OpenStack Dashboard (Horizon) 2014.2 before 2014.2.4 and 2015.1.x before 2015.1.1 allows remote attackers to inject arbitrary web script or HTML via the description parameter in a heat template, which is not properly handled in the help_text attribute in the Field class.","aliases":["CVE-2015-3219","GHSA-rhjj-f6gq-6gx2"],"modified":"2024-11-25T22:42:07.364076Z","published":"2015-08-20T20:59:00Z","references":[{"type":"ADVISORY","url":"http://lists.openstack.org/pipermail/openstack-announce/2015-June/000361.html"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2015/06/09/7"},{"type":"WEB","url":"http://www.securityfocus.com/bid/75109"},{"type":"ADVISORY","url":"https://bugs.launchpad.net/horizon/+bug/1453074"},{"type":"ADVISORY","url":"http://www.debian.org/security/2016/dsa-3617"},{"type":"WEB","url":"http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2015-1679.html"}],"affected":[{"package":{"name":"horizon","ecosystem":"PyPI","purl":"pkg:pypi/horizon"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"8.0.0a0"}]}],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/horizon/PYSEC-2015-40.yaml"}}],"schema_version":"1.7.3"}