GCVE - cpe:2.3:a:openstack:horizon:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:openstack:horizon:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Openstack (`7b0cf974-b2b5-592e-bdf4-6953805ef02a`)
Product	Horizon (`e7083d4d-18db-5d21-bd2a-55bbcb933374`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:deb/debian/horizon`	purl2cpe	2026-06-01 10:17:03.184120
`pkg:deb/ubuntu/horizon`	purl2cpe	2026-06-01 10:17:03.184122
`pkg:github/openstack/horizon`	purl2cpe	2026-06-01 10:17:03.184123
`pkg:pypi/horizon`	purl2cpe	2026-06-01 10:17:03.184125
`pkg:rpm/opensuse/python-horizon`	purl2cpe	2026-06-01 10:17:03.184126

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2026-43002`	vulnerable	2026-06-03 15:25:01.832126	Details available MEDIUM (5.3) An issue was discovered in OpenStack Horizon 25.6 and 25.7 before 25.7.3. There is a write operation to the session storage backend before authentication and thus storage can be exhausted by unauthenticated requests. This is a regression of the CVE-2014-8124 fix. Published: 2026-05-05T00:00:00.000Z Updated: 2026-05-06T06:05:23.992Z Open on db.gcve.eu Reference links https://bugs.launchpad.net/horizon/+bug/2150331 https://www.openwall.com/lists/oss-security/2026/05/05/7 https://security.openstack.org/ossa/OSSA-2026-009.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-45582`	vulnerable	2026-06-03 14:48:24.350753	Details available Open Redirect vulnerability in Horizon Web Dashboard 19.4.0 thru 20.1.4 via the success_url parameter. Published: 2023-08-22T00:00:00.000Z Updated: 2024-08-03T14:17:03.817Z Open on db.gcve.eu Reference links https://bugs.launchpad.net/horizon/+bug/1982676 https://github.com/openstack/horizon/blob/master/horizon/workflows/views.py#L96-L102 https://lists.debian.org/debian-lts-announce/2023/11/msg00033.html https://lists.debian.org/debian-lts-announce/2023/12/msg00000.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-29565`	vulnerable	2026-06-03 14:42:29.599890	Details available An issue was discovered in OpenStack Horizon before 15.3.2, 16.x before 16.2.1, 17.x and 18.x before 18.3.3, 18.4.x, and 18.5.x. There is a lack of validation of the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the provided malicious URL. Published: 2020-12-04T07:06:03.000Z Updated: 2024-08-04T16:55:10.412Z Open on db.gcve.eu Reference links https://bugs.launchpad.net/horizon/+bug/1865026 https://review.opendev.org/c/openstack/horizon/+/758841/ https://review.opendev.org/c/openstack/horizon/+/758843/ https://security.openstack.org/ossa/OSSA-2020-008.html http://www.openwall.com/lists/oss-security/2020/12/08/2	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2016-4428`	vulnerable	2026-06-03 14:35:47.945289	Details available Cross-site scripting (XSS) vulnerability in OpenStack Dashboard (Horizon) 8.0.1 and earlier and 9.0.0 through 9.0.1 allows remote authenticated users to inject arbitrary web script or HTML by injecting an AngularJS template in a dashboard form. Published: 2016-07-12T19:00:00.000Z Updated: 2024-08-06T00:32:24.621Z Open on db.gcve.eu Reference links https://access.redhat.com/errata/RHSA-2016:1268 https://access.redhat.com/errata/RHSA-2016:1270 http://www.debian.org/security/2016/dsa-3617 https://access.redhat.com/errata/RHSA-2016:1272 https://security.openstack.org/ossa/OSSA-2016-010.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-8578`	vulnerable	2026-06-03 14:34:24.636916	Details available Cross-site scripting (XSS) vulnerability in the Groups panel in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote administrators to inject arbitrary web script or HTML via a user email address, a different vulnerability than CVE-2014-3475. Published: 2014-10-31T15:00:00.000Z Updated: 2024-09-17T01:30:57.110Z Open on db.gcve.eu Reference links http://www.securityfocus.com/bid/68456 https://bugs.launchpad.net/horizon/+bug/1320235 http://www.openwall.com/lists/oss-security/2014/07/08/6	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-8124`	vulnerable	2026-06-03 14:34:22.939681	Details available OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page. Published: 2014-12-12T15:00:00.000Z Updated: 2024-08-06T13:10:50.827Z Open on db.gcve.eu Reference links https://bugs.launchpad.net/horizon/+bug/1394370 http://secunia.com/advisories/61186 http://rhn.redhat.com/errata/RHSA-2015-0845.html http://lists.openstack.org/pipermail/openstack-announce/2014-December/000308.html http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147520.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-3594`	vulnerable	2026-06-03 14:33:55.492401	Details available Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name. Published: 2014-08-22T14:00:00.000Z Updated: 2024-08-06T10:50:18.100Z Open on db.gcve.eu Reference links http://rhn.redhat.com/errata/RHSA-2014-1336.html http://www.securityfocus.com/bid/69291 https://review.openstack.org/#/c/115313/ http://rhn.redhat.com/errata/RHSA-2014-1335.html https://review.openstack.org/#/c/115311	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-3475`	vulnerable	2026-06-03 14:33:54.636590	Details available Cross-site scripting (XSS) vulnerability in the Users panel (admin/users/) in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote administrators to inject arbitrary web script or HTML via a user email address, a different vulnerability than CVE-2014-8578. Published: 2014-10-31T15:00:00.000Z Updated: 2024-08-06T10:43:06.308Z Open on db.gcve.eu Reference links http://www.securityfocus.com/bid/68456 https://bugs.launchpad.net/horizon/+bug/1320235 http://www.openwall.com/lists/oss-security/2014/07/08/6 http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-3474`	vulnerable	2026-06-03 14:33:54.636217	Details available Cross-site scripting (XSS) vulnerability in horizon/static/horizon/js/horizon.instances.js in the Launch Instance menu in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to inject arbitrary web script or HTML via a network name. Published: 2014-10-31T15:00:00.000Z Updated: 2024-08-06T10:43:06.349Z Open on db.gcve.eu Reference links http://www.openwall.com/lists/oss-security/2014/07/08/6 http://www.securityfocus.com/bid/68460 https://review.openstack.org/#/c/105477 https://bugs.launchpad.net/horizon/+bug/1322197 http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-3473`	vulnerable	2026-06-03 14:33:54.635129	Details available Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in the Horizon Orchestration dashboard in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2, when used with Heat, allows remote Orchestration template owners or catalogs to inject arbitrary web script or HTML via a crafted template. Published: 2014-10-31T15:00:00.000Z Updated: 2024-08-06T10:43:06.106Z Open on db.gcve.eu Reference links http://www.openwall.com/lists/oss-security/2014/07/08/6 http://www.securityfocus.com/bid/68459 https://bugs.launchpad.net/horizon/+bug/1308727 http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-6858`	vulnerable	2026-06-03 14:33:32.782340	Details available Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2013.2 and earlier allow local users to inject arbitrary web script or HTML via an instance name to (1) "Volumes" or (2) "Network Topology" page. Published: 2013-11-23T17:00:00.000Z Updated: 2024-08-06T17:46:23.886Z Open on db.gcve.eu Reference links http://www.securityfocus.com/bid/63787 http://www.ubuntu.com/usn/USN-2062-1 https://bugs.launchpad.net/horizon/+bug/1247675 http://secunia.com/advisories/55770 http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-4471`	vulnerable	2026-06-03 14:33:17.042913	Details available The Identity v3 API in OpenStack Dashboard (Horizon) before 2013.2 does not require the current password when changing passwords for user accounts, which makes it easier for remote attackers to change a user password by leveraging the authentication token for that user. Published: 2014-05-14T19:00:00.000Z Updated: 2024-08-06T16:45:14.609Z Open on db.gcve.eu Reference links http://lists.openstack.org/pipermail/openstack/2013-November/003299.html https://bugs.launchpad.net/horizon/+bug/1237989	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-5474`	vulnerable	2026-06-03 14:32:30.390265	Details available The file /etc/openstack-dashboard/local_settings within Red Hat OpenStack Platform 2.0 and RHOS Essex Release (python-django-horizon package before 2012.1.1) is world readable and exposes the secret key value. Published: 2019-12-30T19:36:51.000Z Updated: 2024-08-06T21:05:47.279Z Open on db.gcve.eu Reference links https://security-tracker.debian.org/tracker/CVE-2012-5474 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5474 https://access.redhat.com/security/cve/cve-2012-5474 http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092841.html	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.