VYPR
Get started
← All advisories
Moderate severityNVD Advisory· Published Aug 20, 2015· Updated May 6, 2026

CVE-2015-3219

CVE-2015-3219

Description

Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in OpenStack Dashboard (Horizon) 2014.2 before 2014.2.4 and 2015.1.x before 2015.1.1 allows remote attackers to inject arbitrary web script or HTML via the description parameter in a heat template, which is not properly handled in the help_text attribute in the Field class.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
horizonPyPI
< 8.0.0a08.0.0a0

Affected products

7
  • OpenStack/Horizon5 versions
    cpe:2.3:a:openstack:horizon:2014.2.0:*:*:*:*:*:*:*+ 4 more
    • cpe:2.3:a:openstack:horizon:2014.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:openstack:horizon:2014.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:openstack:horizon:2014.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:openstack:horizon:2014.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:openstack:horizon:2015.1.0:*:*:*:*:*:*:*
  • Debian/Debian Linux
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • Oracle Corporation/Solaris
    cpe:2.3:o:oracle:solaris:11.2:*:*:*:*:*:*:*

Patches

3
84da479739fb

Escape the description param from heat template

https://github.com/openstack/horizonlin-hua-chengJun 2, 2015via ghsa
commit
1 file changed · +2 1
  • openstack_dashboard/dashboards/project/stacks/forms.py+2 1 modified
    @@ -13,6 +13,7 @@
 import json
 import logging
 
+from django.utils import html
 from django.utils.translation import ugettext_lazy as _
 from django.views.decorators.debug import sensitive_variables  # noqa
 
@@ -310,7 +311,7 @@ def _build_parameter_fields(self, template_validate):
             field_args = {
                 'initial': param.get('Default', None),
                 'label': param.get('Label', param_key),
-                'help_text': param.get('Description', ''),
+                'help_text': html.escape(param.get('Description', '')),
                 'required': param.get('Default', None) is None
             }
28d8f49786d6

Escape the description param from heat template

https://github.com/openstack/horizonlin-hua-chengJun 2, 2015via ghsa
commit
1 file changed · +2 1
  • openstack_dashboard/dashboards/project/stacks/forms.py+2 1 modified
    @@ -13,6 +13,7 @@
 import json
 import logging
 
+from django.utils import html
 from django.utils.translation import ugettext_lazy as _
 from django.views.decorators.debug import sensitive_variables  # noqa
 
@@ -310,7 +311,7 @@ def _build_parameter_fields(self, template_validate):
             field_args = {
                 'initial': param.get('Default', None),
                 'label': param.get('Label', param_key),
-                'help_text': param.get('Description', ''),
+                'help_text': html.escape(param.get('Description', '')),
                 'required': param.get('Default', None) is None
             }
dab92e7d2f57

Escape the description param from heat template

https://github.com/openstack/horizonlin-hua-chengJun 2, 2015via ghsa
commit
1 file changed · +2 1
  • openstack_dashboard/dashboards/project/stacks/forms.py+2 1 modified
    @@ -13,6 +13,7 @@
 import json
 import logging
 
+from django.utils import html
 from django.utils.translation import ugettext_lazy as _
 from django.views.decorators.debug import sensitive_variables  # noqa
 
@@ -290,7 +291,7 @@ def _build_parameter_fields(self, template_validate):
             field_args = {
                 'initial': param.get('Default', None),
                 'label': param.get('Label', param_key),
-                'help_text': param.get('Description', ''),
+                'help_text': html.escape(param.get('Description', '')),
                 'required': param.get('Default', None) is None
             }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

13

News mentions

0

No linked articles in our index yet.