Low severityNVD Advisory· Published Aug 22, 2014· Updated May 6, 2026

CVE-2014-3594

Description

Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
horizonPyPI	< 8.0.0a0	8.0.0a0

Affected products

OpenStack/Horizon3 versions
cpe:2.3:a:openstack:horizon:*:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:openstack:horizon:*:*:*:*:*:*:*:*range: >=2013.2,<2013.2.4
- cpe:2.3:a:openstack:horizon:juno-1:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:horizon:juno-2:*:*:*:*:*:*:*
OpenSUSE/openSUSE
cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*

Patches

ba908ae88d59

Fix XSS issue with the unordered_list filter

https://github.com/openstack/horizonJulie PichonJul 29, 2014via ghsa

commit

1 file changed · +7 −3

openstack_dashboard/dashboards/admin/aggregates/tables.py+7 −3 modified

@@ -93,18 +93,22 @@ def get_zone_hosts(zone):
     return host_details
 
 
+def safe_unordered_list(value):
+    return filters.unordered_list(value, autoescape=True)
+
+
 class HostAggregatesTable(tables.DataTable):
     name = tables.Column('name', verbose_name=_('Name'))
     availability_zone = tables.Column('availability_zone',
                                       verbose_name=_('Availability Zone'))
     hosts = tables.Column(get_aggregate_hosts,
                           verbose_name=_("Hosts"),
                           wrap_list=True,
-                          filters=(filters.unordered_list,))
+                          filters=(safe_unordered_list,))
     metadata = tables.Column(get_metadata,
                              verbose_name=_("Metadata"),
                              wrap_list=True,
-                             filters=(filters.unordered_list,))
+                             filters=(safe_unordered_list,))
 
     class Meta:
         name = "host_aggregates"
@@ -123,7 +127,7 @@ class AvailabilityZonesTable(tables.DataTable):
     hosts = tables.Column(get_zone_hosts,
                           verbose_name=_('Hosts'),
                           wrap_list=True,
-                          filters=(filters.unordered_list,))
+                          filters=(safe_unordered_list,))
     available = tables.Column(get_available,
                               verbose_name=_('Available'),
                               status=True,

ba2c98aea0db

Fix XSS issue with the unordered_list filter

https://github.com/openstack/horizonJulie PichonJul 29, 2014via ghsa

commit

1 file changed · +7 −3

openstack_dashboard/dashboards/admin/aggregates/tables.py+7 −3 modified

@@ -98,18 +98,22 @@ def get_zone_hosts(zone):
     return host_details
 
 
+def safe_unordered_list(value):
+    return filters.unordered_list(value, autoescape=True)
+
+
 class HostAggregatesTable(tables.DataTable):
     name = tables.Column('name', verbose_name=_('Name'))
     availability_zone = tables.Column('availability_zone',
                                       verbose_name=_('Availability Zone'))
     hosts = tables.Column(get_aggregate_hosts,
                           verbose_name=_("Hosts"),
                           wrap_list=True,
-                          filters=(filters.unordered_list,))
+                          filters=(safe_unordered_list,))
     metadata = tables.Column(get_metadata,
                              verbose_name=_("Metadata"),
                              wrap_list=True,
-                             filters=(filters.unordered_list,))
+                             filters=(safe_unordered_list,))
 
     class Meta:
         name = "host_aggregates"
@@ -128,7 +132,7 @@ class AvailabilityZonesTable(tables.DataTable):
     hosts = tables.Column(get_zone_hosts,
                           verbose_name=_('Hosts'),
                           wrap_list=True,
-                          filters=(filters.unordered_list,))
+                          filters=(safe_unordered_list,))
     available = tables.Column(get_available,
                               verbose_name=_('Available'),
                               status=True,

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

review.openstack.orgnvdPatchVendor AdvisoryWEB
review.openstack.orgnvdPatchVendor AdvisoryWEB
review.openstack.orgnvdPatchVendor Advisory
bugs.launchpad.net/horizon/+bug/1349491nvdExploitIssue TrackingThird Party AdvisoryWEB
lists.opensuse.org/opensuse-updates/2015-01/msg00040.htmlnvdMailing ListThird Party AdvisoryWEB
seclists.org/oss-sec/2014/q3/413nvdMailing ListThird Party AdvisoryWEB
www.securityfocus.com/bid/69291nvdThird Party AdvisoryVDB EntryWEB
exchange.xforce.ibmcloud.com/vulnerabilities/95378nvdThird Party AdvisoryVDB EntryWEB
github.com/advisories/GHSA-8g68-2hcj-h8vgghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2014-3594ghsaADVISORY
rhn.redhat.com/errata/RHSA-2014-1335.htmlnvdBroken LinkWEB
rhn.redhat.com/errata/RHSA-2014-1336.htmlnvdBroken LinkWEB
access.redhat.com/errata/RHSA-2014:1188ghsaWEB
access.redhat.com/errata/RHSA-2014:1335ghsaWEB
access.redhat.com/errata/RHSA-2014:1336ghsaWEB
access.redhat.com/security/cve/CVE-2014-3594ghsaWEB
bugzilla.redhat.com/show_bug.cgighsaWEB
github.com/openstack/horizon/commit/ba2c98aea0db0d03200c811b86b3efe8367f3905ghsaWEB
github.com/openstack/horizon/commit/ba908ae88d5925f4f6783eb234cc4ea95017472bghsaWEB
review.openstack.orgghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000