CVE-2012-3540

Description

Open redirect vulnerability in views/auth_forms.py in OpenStack Dashboard (Horizon) Essex (2012.1) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the next parameter to auth/login/. NOTE: this issue was originally assigned CVE-2012-3542 by mistake.

How to fix CVE-2012-3540

To remediate CVE-2012-3540, upgrade the affected package to a fixed version below.

• Debian/horizon—upgrade to 2012.1.1-4 or later
• PyPI/horizon—upgrade to 35eada8a27323c0f83c400177797927aba6bc99b or later

Is CVE-2012-3540 being exploited?

Low — EPSS is 1.9%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 2012.1.1-4
• from 0, < 35eada8a27323c0f83c400177797927aba6bc99b | from 0

References (11)

• ADVISORYsecunia.com/advisories/50480
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2012-3540
• ADVISORYwww.ubuntu.com/usn/USN-1565-1
• PATCHgithub.com/openstack/horizon/commit/35eada8a27323c0f83c400177797927aba6bc99b
• WEB