Vulnerability Details : CVE-2016-4428
Cross-site scripting (XSS) vulnerability in OpenStack Dashboard (Horizon) 8.0.1 and earlier and 9.0.0 through 9.0.1 allows remote authenticated users to inject arbitrary web script or HTML by injecting an AngularJS template in a dashboard form.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2016-4428
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openstack:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openstack:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openstack:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openstack:8:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:horizon:*:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:horizon:9.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:horizon:9.0.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-4428
0.13%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 49 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-4428
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST |
CWE ids for CVE-2016-4428
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-4428
-
https://access.redhat.com/errata/RHSA-2016:1272
RHSA-2016:1272 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://bugs.launchpad.net/horizon/+bug/1567673
Bug #1567673 “[OSSA-2016-010] Possible client side template inje...” : Bugs : OpenStack Dashboard (Horizon)Issue Tracking;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2016:1269
RHSA-2016:1269 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2016:1271
RHSA-2016:1271 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://review.openstack.org/329997
Change I0cbebfd0: Escape angularjs templating in unsafe HTML | review.opendev Code ReviewPatch;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2016/06/17/4
oss-security - [OSSA-2016-010] XSS in Horizon client side template (CVE-2016-4428)Mailing List;Patch;Third Party Advisory
-
http://www.debian.org/security/2016/dsa-3617
Debian -- Security Information -- DSA-3617-1 horizonThird Party Advisory
-
https://security.openstack.org/ossa/OSSA-2016-010.html
OpenStack Docs: OSSA-2016-010: XSS in Horizon client side templatePatch;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2016:1270
RHSA-2016:1270 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://review.openstack.org/329998
Change I0cbebfd0: Escape angularjs templating in unsafe HTML | review.opendev Code ReviewPatch;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2016:1268
RHSA-2016:1268 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://review.openstack.org/329996
Change I0cbebfd0: Escape angularjs templating in unsafe HTML | review.opendev Code ReviewPatch;Vendor Advisory
Jump to