Medium severity5.4NVD Advisory· Published Jul 12, 2016· Updated May 6, 2026
CVE-2016-4428
CVE-2016-4428
Description
Cross-site scripting (XSS) vulnerability in OpenStack Dashboard (Horizon) 8.0.1 and earlier and 9.0.0 through 9.0.1 allows remote authenticated users to inject arbitrary web script or HTML by injecting an AngularJS template in a dashboard form.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
horizonPyPI | < 8.0.2 | 8.0.2 |
horizonPyPI | >= 9.0.0, < 9.1.0 | 9.1.0 |
Affected products
25- ghsa-coords25 versionspkg:pypi/horizonpkg:rpm/suse/openstack-ceilometer&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-ceilometer-doc&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-cinder-doc&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-dashboard&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-glance&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-glance-doc&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-heat&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-heat-doc&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-keystone&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-keystone-doc&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-manila&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-manila-doc&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-neutron-doc&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-neutron-fwaas&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-neutron-fwaas-doc&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-neutron-lbaas&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-neutron-lbaas-doc&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-nova-doc&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/openstack-resource-agents&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/python-networking-cisco&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/python-openstackclient&distro=SUSE%20OpenStack%20Cloud%206
< 8.0.2+ 24 more
- (no CPE)range: < 8.0.2
- (no CPE)range: < 5.0.4~a0~dev6-6.1
- (no CPE)range: < 5.0.4~a0~dev6-6.2
- (no CPE)range: < 7.0.3~a0~dev2-7.1
- (no CPE)range: < 7.0.3~a0~dev2-7.1
- (no CPE)range: < 8.0.2~a0~dev34-8.1
- (no CPE)range: < 11.0.2~a0~dev13-7.1
- (no CPE)range: < 11.0.2~a0~dev13-7.1
- (no CPE)range: < 5.0.2~a0~dev93-9.1
- (no CPE)range: < 5.0.2~a0~dev93-9.3
- (no CPE)range: < 8.1.1~a0~dev13-3.1
- (no CPE)range: < 8.1.1~a0~dev13-3.2
- (no CPE)range: < 1.0.2~a0~dev11-9.1
- (no CPE)range: < 1.0.2~a0~dev11-9.2
- (no CPE)range: < 7.1.2~a0~dev29-10.1
- (no CPE)range: < 7.1.2~a0~dev29-10.1
- (no CPE)range: < 7.1.2~a0~dev1-6.1
- (no CPE)range: < 7.1.2~a0~dev1-6.1
- (no CPE)range: < 7.1.2~a0~dev1-6.1
- (no CPE)range: < 7.1.2~a0~dev1-6.1
- (no CPE)range: < 12.0.5~a0~dev2-7.1
- (no CPE)range: < 12.0.5~a0~dev2-7.1
- (no CPE)range: < 1.0+git.1467079370.4f2c49d-7.1
- (no CPE)range: < 2.1.1-6.1
- (no CPE)range: < 1.7.2-4.1
Patches
3fc8d70560401Escape angularjs templating in unsafe HTML
3 files changed · +40 −0
horizon/utils/escape.py+31 −0 added@@ -0,0 +1,31 @@ +# Copyright 2016, Rackspace, US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import django.utils.html + + +def escape(text, existing=django.utils.html.escape): + # Replace our angular markup string with a different string + # (which just happens to be the Django comment string) + # this prevents user-supplied data from being intepreted in + # our pages by angularjs, thus preventing it from being used + # for XSS attacks. Note that we use {$ $} instead of the + # standard {{ }} - this is configured in horizon.framework + # angularjs module through $interpolateProvider. + return existing(text).replace('{$', '{%').replace('$}', '%}') + + +# this will be invoked as early as possible in settings.py +def monkeypatch_escape(): + django.utils.html.escape = escape
openstack_dashboard/settings.py+3 −0 modified@@ -29,6 +29,9 @@ from openstack_dashboard.static_settings import get_staticfiles_dirs # noqa from openstack_dashboard import theme_settings +from horizon.utils.escape import monkeypatch_escape + +monkeypatch_escape() warnings.formatwarning = lambda message, category, *args, **kwargs: \ '%s: %s' % (category.__name__, message)
openstack_dashboard/test/settings.py+6 −0 modified@@ -18,6 +18,12 @@ from openstack_dashboard.static_settings import find_static_files # noqa from openstack_dashboard.static_settings import get_staticfiles_dirs # noqa +from horizon.utils.escape import monkeypatch_escape + +# this is used to protect from client XSS attacks, but it's worth +# enabling in our test setup to find any issues it might cause +monkeypatch_escape() + STATICFILES_DIRS = get_staticfiles_dirs() TEST_DIR = os.path.dirname(os.path.abspath(__file__))
d585e5eb9acfEscape angularjs templating in unsafe HTML
3 files changed · +40 −0
horizon/utils/escape.py+31 −0 added@@ -0,0 +1,31 @@ +# Copyright 2016, Rackspace, US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import django.utils.html + + +def escape(text, existing=django.utils.html.escape): + # Replace our angular markup string with a different string + # (which just happens to be the Django comment string) + # this prevents user-supplied data from being intepreted in + # our pages by angularjs, thus preventing it from being used + # for XSS attacks. Note that we use {$ $} instead of the + # standard {{ }} - this is configured in horizon.framework + # angularjs module through $interpolateProvider + return existing(text).replace('{$', '{%').replace('$}', '%}') + + +# this will be invoked as early as possible in settings.py +def monkeypatch_escape(): + django.utils.html.escape = escape
openstack_dashboard/settings.py+3 −0 modified@@ -28,6 +28,9 @@ from openstack_dashboard.static_settings import find_static_files # noqa from openstack_dashboard.static_settings import get_staticfiles_dirs # noqa +from horizon.utils.escape import monkeypatch_escape + +monkeypatch_escape() warnings.formatwarning = lambda message, category, *args, **kwargs: \ '%s: %s' % (category.__name__, message)
openstack_dashboard/test/settings.py+6 −0 modified@@ -18,6 +18,12 @@ from openstack_dashboard.static_settings import find_static_files # noqa from openstack_dashboard.static_settings import get_staticfiles_dirs # noqa +from horizon.utils.escape import monkeypatch_escape + +# this is used to protect from client XSS attacks, but it's worth +# enabling in our test setup to find any issues it might cause +monkeypatch_escape() + STATICFILES_DIRS = get_staticfiles_dirs() TEST_DIR = os.path.dirname(os.path.abspath(__file__))
62b4e6f30a7aEscape angularjs templating in unsafe HTML
3 files changed · +40 −0
horizon/utils/escape.py+31 −0 added@@ -0,0 +1,31 @@ +# Copyright 2016, Rackspace, US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import django.utils.html + + +def escape(text, existing=django.utils.html.escape): + # Replace our angular markup string with a different string + # (which just happens to be the Django comment string) + # this prevents user-supplied data from being intepreted in + # our pages by angularjs, thus preventing it from being used + # for XSS attacks. Note that we use {$ $} instead of the + # standard {{ }} - this is configured in horizon.framework + # angularjs module through $interpolateProvider. + return existing(text).replace('{$', '{%').replace('$}', '%}') + + +# this will be invoked as early as possible in settings.py +def monkeypatch_escape(): + django.utils.html.escape = escape
openstack_dashboard/settings.py+3 −0 modified@@ -29,6 +29,9 @@ from openstack_dashboard.static_settings import get_staticfiles_dirs # noqa from openstack_dashboard import theme_settings +from horizon.utils.escape import monkeypatch_escape + +monkeypatch_escape() warnings.formatwarning = lambda message, category, *args, **kwargs: \ '%s: %s' % (category.__name__, message)
openstack_dashboard/test/settings.py+6 −0 modified@@ -18,6 +18,12 @@ from openstack_dashboard.static_settings import find_static_files # noqa from openstack_dashboard.static_settings import get_staticfiles_dirs # noqa +from horizon.utils.escape import monkeypatch_escape + +# this is used to protect from client XSS attacks, but it's worth +# enabling in our test setup to find any issues it might cause +monkeypatch_escape() + STATICFILES_DIRS = get_staticfiles_dirs() TEST_DIR = os.path.dirname(os.path.abspath(__file__))
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
19- www.openwall.com/lists/oss-security/2016/06/17/4nvdMailing ListPatchThird Party AdvisoryWEB
- review.openstack.org/329996nvdPatchVendor AdvisoryWEB
- review.openstack.org/329997nvdPatchVendor AdvisoryWEB
- review.openstack.org/329998nvdPatchVendor AdvisoryWEB
- security.openstack.org/ossa/OSSA-2016-010.htmlnvdPatchVendor AdvisoryWEB
- www.debian.org/security/2016/dsa-3617nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2016:1268nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2016:1269nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2016:1270nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2016:1271nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2016:1272nvdThird Party AdvisoryWEB
- bugs.launchpad.net/horizon/+bug/1567673nvdIssue TrackingThird Party AdvisoryWEB
- github.com/advisories/GHSA-grm6-x6mr-q3cvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-4428ghsaADVISORY
- access.redhat.com/security/cve/CVE-2016-4428ghsaWEB
- bugzilla.redhat.com/show_bug.cgighsaWEB
- github.com/openstack/horizon/commit/62b4e6f30a7ae7961805abdffdb3c7ae5c2b676aghsaWEB
- github.com/openstack/horizon/commit/d585e5eb9acf92d10d39b6c2038917a7e8ac71bbghsaWEB
- github.com/openstack/horizon/commit/fc8d70560401f3985e5672a4c580f10d51e985a4ghsaWEB
News mentions
0No linked articles in our index yet.