ESA-22: XSS in the Eucalyptus Management Console

Skip to first unread message

Eucalyptus Security Team

Aug 27, 2014, 1:36:19 PM8/27/14
ESA-22: XSS in the Eucalyptus Management Console

Eucalyptus Security Advisory

Advisory ID: ESA-22
Issue Date: 2014-08-13
Last Updated: 2014-08-27
Severity Level: Critical
Affected Versions: Eucalyptus Management Console 4.0.0
CVE Number: CVE-2013-4770


An XSS vulnerability has been identified in the Eucalyptus Management Console version 4.0.0. An update is now available in 4.0.1 that resolves this issue. We recommend updating all affected Eucalyptus installations immediately.


The Eucalyptus Management Console (EMC) is a web-based interface for using Eucalyptus and AWS-compatible services. A sandbox-bypass vulnerability has been identified in AngularJS, a web application framework that serves as an EMC dependency. This vulnerability, combined with a lack of proper output encoding in some places within the EMC, allows for XSS attacks by cloud users. The XSS vulnerability allows for execution of potentially arbitrary JavaScript code and can lead to privilege escalation or complete compromise of the cloud.

Eucalyptus would like to thank the following individuals for finding and reporting the issue:
- Jann Horn, who discovered the Sandbox-Bypass vulnerability in AngularJS
- Mario Heiderich of Cure53, who found and reported the vulnerability in the EMC
- Dennis Felsch of Ruhr-University Bochum, who set up the test-server infrastructure


Eucalyptus Management Console version 4.0.1 resolves this issue. Please see for instructions on downloading and upgrading to the latest Eucalyptus software.


Contact the Eucalyptus Security Team at

Reply all
Reply to author
0 new messages