CVE-2014-3473: Horizon-Orchestration Cross-site scripting (XSS) vulnerability through resource name
N/A
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.59896%
CWE
Published
5/13/2022
Updated
10/19/2023
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
-
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
horizon | pip | < 8.0.0a0 | 8.0.0a0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from Horizon's failure to escape user-controlled resource names when generating links in the Orchestration/Stack UI. The pre-patch code in tables.py directly used resource_name in URL construction (via lambda functions), which allowed attackers to inject malicious HTML/scripts. The commits c844bd6 and de4466d fixed this by introducing URL reversal with proper escaping and stack_id binding, confirming the vulnerable code paths.