From EGIWiki
Jump to: navigation, search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More


** WHITE information - Unlimited distribution allowed                       **  

** see for distribution restrictions **


Title:       EGI SVG Advisory - Up to 'High' RISK - Persistent XSS in OpenStack Horizon admin dashboard. CVE-2015-3988 [EGI-SVG-2015-8706]

Date:        2015-06-05



SVG has been alerted to a Persistent XSS in OpenStack in Horizon admin dashboard, in the image metadata pannel.

This may allow privilege escallation. 


See [R 1] [R 2] and [R 3] 

One member of our team looked at the patch and the vulnerability and the attack scenario would be:
- An authenticated user adds malicious metadata to an image (via the APIs)
- An admin go on the admin panel, then select this very image and look/edit its metadata, the stored XSS will 
only be exposed in a page specific to the image, not a summary.

On one site which was investigated, the Horizon admin dashboard was disabled. 

Risk category

It is not clear that it is all that easy to exploit this issue in the EGI infrastructure. 
However, to be cautious it should be considered  'High' risk if sites are running OpenStack 
and the Horizon admin dashboard is enabled.  

Affected software

Horizon metadata dashboard.


Sites running OpenStack with the horizon metadata dashboard may disable the horizon metadata dashboard. 

Component installation information

See OpenStack instructions.  


Sites running OpenStack with the horizon metadata dashboard enabled should consider either updating 
or disabling the horizon metadata dashboard. 


SVG was alerted to this vulnerability  by Alvaro Lopez Garcia 


[R 1]

[R 2]

[R 3] Wiki XSS description -


Comments or questions should be sent to svg-rat at

We are currently revising the vulnerability issue handling procedure so suggestions and comments are welcome. 


2015-05-28 SVG alerted to this publicly announced Vulnerability by Alvaro Lopez Garcia
2015-05-28 Acknowledgement from the EGI SVG 
2015-05--- Discussions on impact and risk in EGI
2015-06-04 Advisory drafted
2015-06-05 Advisory sent to sites

On behalf of the EGI SVG,