CVE-2017-7400 - OpenCVE

OpenStack Horizon 9.x through 9.1.1, 10.x through 10.0.2, and 11.0.0 allows remote authenticated administrators to conduct XSS attacks via a crafted federation mapping.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Openstack	Horizon

Configuration 1 [-]

OR	cpe:2.3:a:openstack:horizon:9.0.0:::::::*
	cpe:2.3:a:openstack:horizon:9.0.0:b1::::::
	cpe:2.3:a:openstack:horizon:9.0.0:b2::::::
	cpe:2.3:a:openstack:horizon:9.0.0:b3::::::
	cpe:2.3:a:openstack:horizon:9.0.0:rc1::::::
	cpe:2.3:a:openstack:horizon:9.0.0:rc2::::::
	cpe:2.3:a:openstack:horizon:9.0.1:::::::*
	cpe:2.3:a:openstack:horizon:9.1.0:::::::*
	cpe:2.3:a:openstack:horizon:9.1.1:::::::*
	cpe:2.3:a:openstack:horizon:10.0.0:::::::*
	cpe:2.3:a:openstack:horizon:10.0.0:b1::::::
	cpe:2.3:a:openstack:horizon:10.0.0:b2::::::
	cpe:2.3:a:openstack:horizon:10.0.0:b3::::::
	cpe:2.3:a:openstack:horizon:10.0.0:rc1::::::
	cpe:2.3:a:openstack:horizon:10.0.0:rc2::::::
	cpe:2.3:a:openstack:horizon:10.0.0:rc3::::::
	cpe:2.3:a:openstack:horizon:10.0.1:::::::*
	cpe:2.3:a:openstack:horizon:10.0.2:::::::*
	cpe:2.3:a:openstack:horizon:11.0.0:::::::*

References

Link	Resource
http://www.securityfocus.com/bid/97324	Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2017:1598
https://access.redhat.com/errata/RHSA-2017:1739
https://launchpad.net/bugs/1667086

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2017-04-03T14:00:00

Updated: 2018-01-04T19:57:01

Reserved: 2017-04-03T00:00:00

Link: CVE-2017-7400

JSON object: View

NVD Information

Status : Modified

Published: 2017-04-03T14:59:00.167

Modified: 2018-01-05T02:31:51.027

Link: CVE-2017-7400

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-04-03T00:00:00", "descriptions": [{"lang": "en", "value": "OpenStack Horizon 9.x through 9.1.1, 10.x through 10.0.2, and 11.0.0 allows remote authenticated administrators to conduct XSS attacks via a crafted federation mapping."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-01-04T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "97324", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/97324"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://launchpad.net/bugs/1667086"}, {"name": "RHSA-2017:1598", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:1598"}, {"name": "RHSA-2017:1739", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:1739"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-7400", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OpenStack Horizon 9.x through 9.1.1, 10.x through 10.0.2, and 11.0.0 allows remote authenticated administrators to conduct XSS attacks via a crafted federation mapping."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "97324", "refsource": "BID", "url": "http://www.securityfocus.com/bid/97324"}, {"name": "https://launchpad.net/bugs/1667086", "refsource": "CONFIRM", "url": "https://launchpad.net/bugs/1667086"}, {"name": "RHSA-2017:1598", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:1598"}, {"name": "RHSA-2017:1739", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:1739"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-7400", "datePublished": "2017-04-03T14:00:00", "dateReserved": "2017-04-03T00:00:00", "dateUpdated": "2018-01-04T19:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openstack:horizon:9.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "4A4F67B5-5856-4D19-87C5-BE69829D44C2", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:horizon:9.0.0:b1:*:*:*:*:*:*", "matchCriteriaId": "96C77F76-2C3F-4901-9C2F-E701ABB4D3A0", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:horizon:9.0.0:b2:*:*:*:*:*:*", "matchCriteriaId": "7A1AFF40-ED11-4C9E-8C17-78C0569145ED", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:horizon:9.0.0:b3:*:*:*:*:*:*", "matchCriteriaId": "41ECAF99-BA35-4B46-A307-F9E86A8674A5", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:horizon:9.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "76B0BAD7-980F-4F27-BE31-DD2029F83D9B", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:horizon:9.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4D9EC72C-6608-4F29-B910-2B4C766A1F0C", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:horizon:9.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "583BDBA0-7B0B-4B9B-89B8-DE63C6104D56", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:horizon:9.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "ED8DF61B-8B37-444A-9285-6584A99FAA89", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:horizon:9.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "18E64BFC-A3C7-4726-95E1-0287DA436432", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:horizon:10.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "4B25B3CE-D980-46CE-B322-534E2163F18F", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:horizon:10.0.0:b1:*:*:*:*:*:*", "matchCriteriaId": "331A89F0-E511-4960-A95A-075A6CB62EBA", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:horizon:10.0.0:b2:*:*:*:*:*:*", "matchCriteriaId": "F7792D86-9841-4069-B6B0-74AA4907F1DE", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:horizon:10.0.0:b3:*:*:*:*:*:*", "matchCriteriaId": "508B31E5-9356-4AF8-9292-02D34F9C46F5", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:horizon:10.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "D0313866-F422-43AB-A279-856E7CEAEC67", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:horizon:10.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "460EB309-8D97-45CE-B3B9-C490518A7741", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:horizon:10.0.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "B20B5BDA-8B1C-4A1C-95CF-BC9CDFBA6910", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:horizon:10.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "C7BEBDB8-402D-44CA-A9A6-EE360BD0FB94", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:horizon:10.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "AD40295F-72D3-42CE-9F1B-FE3FC5CF52AA", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:horizon:11.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "7187E4A2-1780-48AF-AAE9-2E1B48B2B50C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "OpenStack Horizon 9.x through 9.1.1, 10.x through 10.0.2, and 11.0.0 allows remote authenticated administrators to conduct XSS attacks via a crafted federation mapping."}, {"lang": "es", "value": "OpenStack Horizon 9.x a trav\u00e9s de 9.1.1, 10.x en versiones hasta 10.0.2 y 11.0.0 permite a los administradores autenticados remotos realizar ataques XSS a trav\u00e9s de una asignaci\u00f3n de federaci\u00f3n manipulada."}], "id": "CVE-2017-7400", "lastModified": "2018-01-05T02:31:51.027", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-04-03T14:59:00.167", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/97324"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2017:1598"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2017:1739"}, {"source": "cve@mitre.org", "url": "https://launchpad.net/bugs/1667086"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}