Sicherheit: Cross-Site Scripting in OpenStack
||Cross-Site Scripting in OpenStack
||Red Hat Enterprise Linux OpenStack Platform
||Mi, 26. Oktober 2016, 22:47
-----BEGIN PGP SIGNED MESSAGE-----
Red Hat Security Advisory
Synopsis: Moderate: openstack-manila-ui security update
Advisory ID: RHSA-2016:2117-01
Product: Red Hat Enterprise Linux OpenStack Platform
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2117.html
Issue date: 2016-10-26
CVE Names: CVE-2016-6519
An update for openstack-manila-ui is now available for Red Hat OpenStack
Platform 9.0 (Mitaka).
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat OpenStack Platform 9.0 - noarch
OpenStack's File Share Service (manila) provides the means to easily
provision shared file systems that can be consumed by multiple instances.
These shared file systems are provisioned from pre-existing, back-end
volumes. The UI component provides the dashboard plugin for the service.
* A cross-site scripting flaw was discovered in openstack-manila-ui's
Metadata field contained in its "Create Share" form. A user could
overview. Remote, authenticated, but unprivileged users could exploit this
vulnerability to steal session cookies and escalate their privileges.
Red Hat would like to thank SUSE for reporting this issue. SUSE
acknowledges Niklaus Schiess as the original reporter.
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
5. Bugs fixed (https://bugzilla.redhat.com/):
1375147 - CVE-2016-6519 openstack-manila-ui: persistent XSS in metadata field
6. Package List:
Red Hat OpenStack Platform 9.0:
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
The Red Hat security contact is <firstname.lastname@example.org>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
Enterprise-watch-list mailing list