CVE-2014-3474: OpenStack Horizon Cross-site scripting (XSS) vulnerability
N/A
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.54252%
CWE
Published
5/13/2022
Updated
10/19/2023
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
-
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
horizon | pip | < 8.0.0a0 | 8.0.0a0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unescaped network name rendering in horizon.instances.js. The commit diff shows the fix added HTML entity escaping (e.g., replacing & with &, < with <). The original code used raw network name text from DOM elements (name: $this.text().replace(/^\s+/, "")
), making it vulnerable. This matches the CVE description of XSS via network names.