The Apache CloudStack Blog
[CVE-2013-2136] Apache CloudStack Cross-site scripting (XSS) vulnerabiliity
Product: Apache CloudStack
Vendor: The Apache Software Foundation
Vulnerability Type(s): Cross-site scripting (XSS)
Vulnerable version(s): Apache CloudStack versions 4.0.0-incubating, 4.0.1-incubating, 4.0.2 and 4.1.0
CVE References: CVE-2013-2136
Risk Level: Low
CVSSv2 Base Scores: 4 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
The Apache CloudStack Security Team was notified of an issue found in the Apache CloudStack user interface that allows an authenticated user to execute cross-site scripting attack against other users within the system.
Updating to Apache CloudStack versions 4.1.1 or higher will mitigate this vulnerability.
Please see the 4.1.1 release notes for further information about how to upgrade:
This issue was identified by Oleg Boytsev from strongserver.org.