VYPR

Horizon

by OpenStack

pypi: horizon

Source repositories

CVEs (27)

  • CVE-2026-22420HigMar 5, 2026
    risk 0.53cvss 8.1epss 0.01

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Horizon horizon allows PHP Local File Inclusion.This issue affects Horizon: from n/a through <= 1.1.

  • CVE-2025-53122MedJun 26, 2025
    risk 0.45cvss epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in OpenNMS Horizon and Meridian applications allows SQL Injection.  Users should upgrade to Meridian 2024.2.6 or newer, or Horizon 33.16 or newer. Meridian and Horizon…

  • CVE-2025-53121MedJun 26, 2025
    risk 0.45cvss epss 0.00

    Multiple stored XSS were found on different nodes with unsanitized parameters in OpenMNS Horizon 33.0.8 and versions earlier than 33.1.6 on multiple platforms that allow an attacker to store on database and then inject HTML and/or Javascript on the page. The solution is to…

  • CVE-2026-55748modJun 17, 2026
    risk 0.39cvss 6.0epss 0.00

    OpenStack Horizon: OpenStack Horizon: Information disclosure or integrity compromise via crafted project name with shell metacharacters

  • CVE-2017-7400MedApr 3, 2017
    risk 0.31cvss 4.8epss 0.01

    OpenStack Horizon 9.x through 9.1.1, 10.x through 10.0.2, and 11.0.0 allows remote authenticated administrators to conduct XSS attacks via a crafted federation mapping.

  • CVE-2016-4428MedJul 12, 2016
    risk 0.28cvss 5.4epss 0.02

    Cross-site scripting (XSS) vulnerability in OpenStack Dashboard (Horizon) 8.0.1 and earlier and 9.0.0 through 9.0.1 allows remote authenticated users to inject arbitrary web script or HTML by injecting an AngularJS template in a dashboard form.

  • CVE-2023-40612Aug 23, 2023
    risk 0.00cvss epss 0.00

    In OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2, the file editor which is accessible to any user with ROLE_FILESYSTEM_EDITOR privileges is vulnerable to XXE injection attacks. The solution is to upgrade to Meridian 2023.1.5 or Horizon 32.0.2 or newer. Meridian and…

  • CVE-2022-1655Jul 22, 2022
    risk 0.00cvss epss 0.00

    An Incorrect Permission Assignment for Critical Resource flaw was found in Horizon on Red Hat OpenStack. Horizon session cookies are created without the HttpOnly flag despite HorizonSecureCookies being set to true in the environmental files, possibly leading to a loss of…

  • CVE-2021-25932Jun 1, 2021
    risk 0.00cvss epss 0.01

    In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site…

  • CVE-2021-25935May 25, 2021
    risk 0.00cvss epss 0.01

    In OpenNMS Horizon, versions opennms-17.0.0-1 through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.7-1 are vulnerable to Stored Cross-Site…

  • CVE-2020-11886Apr 17, 2020
    risk 0.00cvss epss 0.01

    OpenNMS Horizon and Meridian allows HQL Injection in element/nodeList.htm (aka the NodeListController) via snmpParm or snmpParmValue to addCriteriaForSnmpParm. This affects Horizon before 25.2.1, Meridian 2019 before 2019.1.4, Meridian 2018 before 2018.1.16, and Meridian 2017…

  • CVE-2015-3219Aug 20, 2015
    risk 0.00cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in OpenStack Dashboard (Horizon) 2014.2 before 2014.2.4 and 2015.1.x before 2015.1.1 allows remote attackers to inject arbitrary web script or HTML via the description parameter in a heat template, which…

  • CVE-2015-3988May 19, 2015
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2015.1.0 allow remote authenticated users to inject arbitrary web script or HTML via the metadata to a (1) Glance image, (2) Nova flavor or (3) Host Aggregate.

  • CVE-2014-8124Dec 12, 2014
    risk 0.00cvss epss 0.03

    OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page.

  • CVE-2014-8578Oct 31, 2014
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the Groups panel in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote administrators to inject arbitrary web script or HTML via a user email address, a different vulnerability…

  • CVE-2014-3475Oct 31, 2014
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the Users panel (admin/users/) in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote administrators to inject arbitrary web script or HTML via a user email address, a different…

  • CVE-2014-3474Oct 31, 2014
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in horizon/static/horizon/js/horizon.instances.js in the Launch Instance menu in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to inject arbitrary web…

  • CVE-2014-3473Oct 31, 2014
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in the Horizon Orchestration dashboard in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2, when used with Heat, allows remote Orchestration template owners…

  • CVE-2014-3594Aug 22, 2014
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name.

  • CVE-2013-4471May 14, 2014
    risk 0.00cvss epss 0.01

    The Identity v3 API in OpenStack Dashboard (Horizon) before 2013.2 does not require the current password when changing passwords for user accounts, which makes it easier for remote attackers to change a user password by leveraging the authentication token for that user.

Page 1 of 2