[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.

[Jeremy Stanley]

I too am entirely out of my comfort zone with Javascript, so my level of
certainty is low, based solely on the text of CVE-2019-8331 which says
(all?) Bootstrap versions prior to 3.4.1 are affected. I also did not
check the rdepends for python3-xstatic-bootstrap-scss in Ubuntu and
perhaps incorrectly assumed it might be used by more packages or by
unpackaged software on people's systems.

I'll continue trying to get one of the Horizon developers to provide
input on this report... I am but a humble vulnerability coordinator in
this particular case, far from being a subject matter expert on the
software.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to horizon in Ubuntu.
https://bugs.launchpad.net/bugs/1940450

Title:
  XSS The data-template attribute of the tooltip and popover plugins
  lacks input sanitization and may allow attacker to execute arbitrary
  JavaScript.

Status in Ubuntu Cloud Archive:
  New
Status in OpenStack Dashboard (Horizon):
  Invalid
Status in OpenStack Security Advisory:
  Invalid
Status in horizon package in Ubuntu:
  New
Status in python-xstatic-bootstrap-scss package in Ubuntu:
  New

Bug description:
  The data-template attribute of the tooltip and popover plugins lacks
  input sanitization and may allow attacker to execute arbitrary
  JavaScript.

  github source: https://github.com/twbs/bootstrap/pull/28236
  github upstream MR: https://github.com/twbs/bootstrap/pull/28236/commits/5efa9b531d25927b907e3fa24b818608bc38a2f0
  ubuntu-cve https://ubuntu.com/security/CVE-2019-8331

  openstack-dashboard,from xenial UCA, python-django-horizon version 13.0.2-0ubuntu3~cloud0
  `pull-uca-source python-django-horizon 3:13.0.2-0ubuntu3~cloud0`

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions