Horizon

horizon

Vendor: Openstack • 22 CVEs

CVEs (22)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-45582 1Openstack 1Horizon Nov 21, 2024 Aug 22, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Open Redirect vulnerability in Horizon Web Dashboard 19.4.0 thru 20.1.4 via the success_url parameter.
CVE-2020-29565 2Debian Openstack 2Debian Linux Horizon Nov 21, 2024 Dec 4, 2020 N/A· v4 6.1 MEDIUM· v3 5.8 MEDIUM· v2 An issue was discovered in OpenStack Horizon before 15.3.2, 16.x before 16.2.1, 17.x and 18.x before 18.3.3, 18.4.x, and 18.5.x. There is a lack of validation of the "next" parameter, which would allow someone to supply...Show more An issue was discovered in OpenStack Horizon before 15.3.2, 16.x before 16.2.1, 17.x and 18.x before 18.3.3, 18.4.x, and 18.5.x. There is a lack of validation of the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the provided malicious URL.Show less
CVE-2012-5476 2Debian Openstack 2Debian Linux Horizon Nov 21, 2024 Dec 30, 2019 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 Within the RHOS Essex Preview (2012.2) of the OpenStack dashboard package, the file /etc/quantum/quantum.conf is world readable which exposes the admin password and token value.
CVE-2012-5474 4Debian FedoraprojectOpenstack+1 more 4Debian Linux FedoraHorizon+1 more Nov 21, 2024 Dec 30, 2019 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 The file /etc/openstack-dashboard/local_settings within Red Hat OpenStack Platform 2.0 and RHOS Essex Release (python-django-horizon package before 2012.1.1) is world readable and exposes the secret key value.
CVE-2017-7400 1Openstack 1Horizon May 13, 2026 Apr 3, 2017 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 OpenStack Horizon 9.x through 9.1.1, 10.x through 10.0.2, and 11.0.0 allows remote authenticated administrators to conduct XSS attacks via a crafted federation mapping.
CVE-2016-4428 3Debian OpenstackRedhat 3Debian Linux HorizonOpenstack May 6, 2026 Jul 12, 2016 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Cross-site scripting (XSS) vulnerability in OpenStack Dashboard (Horizon) 8.0.1 and earlier and 9.0.0 through 9.0.1 allows remote authenticated users to inject arbitrary web script or HTML by injecting an AngularJS templ...Show more Cross-site scripting (XSS) vulnerability in OpenStack Dashboard (Horizon) 8.0.1 and earlier and 9.0.0 through 9.0.1 allows remote authenticated users to inject arbitrary web script or HTML by injecting an AngularJS template in a dashboard form.Show less
CVE-2015-3219 3Debian OpenstackOracle 3Debian Linux HorizonSolaris May 6, 2026 Aug 20, 2015 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in OpenStack Dashboard (Horizon) 2014.2 before 2014.2.4 and 2015.1.x before 2015.1.1 allows remote attackers to inject arbitrary web script or H...Show more Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in OpenStack Dashboard (Horizon) 2014.2 before 2014.2.4 and 2015.1.x before 2015.1.1 allows remote attackers to inject arbitrary web script or HTML via the description parameter in a heat template, which is not properly handled in the help_text attribute in the Field class.Show less
CVE-2015-3988 2Openstack Oracle 2Horizon Solaris May 6, 2026 May 19, 2015 N/A· v4 N/A· v3 3.5 LOW· v2 Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2015.1.0 allow remote authenticated users to inject arbitrary web script or HTML via the metadata to a (1) Glance image, (2) Nova flavo...Show more Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2015.1.0 allow remote authenticated users to inject arbitrary web script or HTML via the metadata to a (1) Glance image, (2) Nova flavor or (3) Host Aggregate.Show less
CVE-2014-8124 4Fedoraproject OpenstackOpensuse+1 more 4Fedora HorizonOpensuse+1 more May 6, 2026 Dec 12, 2014 N/A· v4 N/A· v3 5.0 MEDIUM· v2 OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service...Show more OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page.Show less
CVE-2014-8578 1Openstack 1Horizon May 6, 2026 Oct 31, 2014 N/A· v4 N/A· v3 3.5 LOW· v2 Cross-site scripting (XSS) vulnerability in the Groups panel in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote administrators to inject arbitrary web script or...Show more Cross-site scripting (XSS) vulnerability in the Groups panel in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote administrators to inject arbitrary web script or HTML via a user email address, a different vulnerability than CVE-2014-3475.Show less
CVE-2014-3475 2Openstack Opensuse 2Horizon Opensuse May 6, 2026 Oct 31, 2014 N/A· v4 N/A· v3 3.5 LOW· v2 Cross-site scripting (XSS) vulnerability in the Users panel (admin/users/) in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote administrators to inject arbitrary...Show more Cross-site scripting (XSS) vulnerability in the Users panel (admin/users/) in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote administrators to inject arbitrary web script or HTML via a user email address, a different vulnerability than CVE-2014-8578.Show less
CVE-2014-3474 2Openstack Opensuse 2Horizon Opensuse May 6, 2026 Oct 31, 2014 N/A· v4 N/A· v3 3.5 LOW· v2 Cross-site scripting (XSS) vulnerability in horizon/static/horizon/js/horizon.instances.js in the Launch Instance menu in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allo...Show more Cross-site scripting (XSS) vulnerability in horizon/static/horizon/js/horizon.instances.js in the Launch Instance menu in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to inject arbitrary web script or HTML via a network name.Show less
CVE-2014-3473 2Openstack Opensuse 2Horizon Opensuse May 6, 2026 Oct 31, 2014 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in the Horizon Orchestration dashboard in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2, when us...Show more Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in the Horizon Orchestration dashboard in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2, when used with Heat, allows remote Orchestration template owners or catalogs to inject arbitrary web script or HTML via a crafted template.Show less
CVE-2014-3594 2Openstack Opensuse 2Horizon Opensuse May 6, 2026 Aug 22, 2014 N/A· v4 N/A· v3 3.5 LOW· v2 Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary...Show more Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name.Show less
CVE-2013-4471 1Openstack 1Horizon May 6, 2026 May 14, 2014 N/A· v4 N/A· v3 5.5 MEDIUM· v2 The Identity v3 API in OpenStack Dashboard (Horizon) before 2013.2 does not require the current password when changing passwords for user accounts, which makes it easier for remote attackers to change a user password by...Show more The Identity v3 API in OpenStack Dashboard (Horizon) before 2013.2 does not require the current password when changing passwords for user accounts, which makes it easier for remote attackers to change a user password by leveraging the authentication token for that user.Show less
CVE-2014-0157 2Openstack Opensuse 2Horizon Opensuse May 6, 2026 Apr 15, 2014 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in the Horizon Orchestration dashboard in OpenStack Dashboard (aka Horizon) 2013.2 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to inject arbitrary web...Show more Cross-site scripting (XSS) vulnerability in the Horizon Orchestration dashboard in OpenStack Dashboard (aka Horizon) 2013.2 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to inject arbitrary web script or HTML via the description field of a Heat template.Show less
CVE-2013-6858 3Canonical OpenstackOpensuse 3Horizon OpensuseUbuntu Linux Apr 29, 2026 Nov 23, 2013 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2013.2 and earlier allow local users to inject arbitrary web script or HTML via an instance name to (1) "Volumes" or (2) "Network Topol...Show more Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2013.2 and earlier allow local users to inject arbitrary web script or HTML via an instance name to (1) "Volumes" or (2) "Network Topology" page.Show less
CVE-2012-3542 1Openstack 2Essex Horizon Apr 29, 2026 Sep 5, 2012 N/A· v4 N/A· v3 4.3 MEDIUM· v2 OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (2012.1), allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user's default tenant to...Show more OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (2012.1), allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user's default tenant to the administrative API. NOTE: this identifier was originally incorrectly assigned to an open redirect issue, but the correct identifier for that issue is CVE-2012-3540.Show less
CVE-2012-3540 1Openstack 1Horizon Apr 29, 2026 Sep 5, 2012 N/A· v4 N/A· v3 5.8 MEDIUM· v2 Open redirect vulnerability in views/auth_forms.py in OpenStack Dashboard (Horizon) Essex (2012.1) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the next param...Show more Open redirect vulnerability in views/auth_forms.py in OpenStack Dashboard (Horizon) Essex (2012.1) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the next parameter to auth/login/. NOTE: this issue was originally assigned CVE-2012-3542 by mistake.Show less
CVE-2012-3426 1Openstack 3Essex HorizonKeystone Apr 29, 2026 Jul 31, 2012 N/A· v4 N/A· v3 4.9 MEDIUM· v2 OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization...Show more OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by (1) creating new tokens through token chaining, (2) leveraging possession of a token for a disabled user account, or (3) leveraging possession of a token for an account with a changed password.Show less

12 Next