CVE-2016-4428 — horizon - security update

Description

Cross-site scripting (XSS) vulnerability in OpenStack Dashboard (Horizon) 8.0.1 and earlier and 9.0.0 through 9.0.1 allows remote authenticated users to inject arbitrary web script or HTML by injecting an AngularJS template in a dashboard form.

How to fix CVE-2016-4428

To remediate CVE-2016-4428, upgrade the affected package to a fixed version below.

Debian/horizon—upgrade to 3:9.0.1-2 or later
—upgrade to 2012.1.1-10+deb7u1 or later
—upgrade to 8.0.2 or later

Is CVE-2016-4428 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 3:9.0.1-2
from 0, < 2012.1.1-10+deb7u1
from 0, < 8.0.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (19)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-4428
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2016-4428
WEBaccess.redhat.com/errata/RHSA-2016:1268
WEBaccess.redhat.com/errata/RHSA-2016:1269
WEB