oVirt Engine before 3.5.0 does not include the HTTPOnly flag in a Set-Cookie header for the session IDs, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
References
Link | Resource |
---|---|
http://rhn.redhat.com/errata/RHSA-2015-0158.html | Patch Vendor Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=1077450 | Vendor Advisory |
Configurations
History
13 Feb 2023, 00:34
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | oVirt Engine before 3.5.0 does not include the HTTPOnly flag in a Set-Cookie header for the session IDs, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. |
02 Feb 2023, 16:15
Type | Values Removed | Values Added |
---|---|---|
Summary | It was found that the oVirt web admin interface did not include the HttpOnly flag when setting session IDs with the Set-Cookie header. This flaw could make it is easier for a remote attacker to hijack an oVirt web admin session by leveraging a cross-site scripting (XSS) vulnerability. | |
References |
|
Information
Published : 2015-02-13 15:59
Updated : 2023-12-10 11:31
NVD link : CVE-2014-0154
Mitre link : CVE-2014-0154
CVE.ORG link : CVE-2014-0154
JSON object : View
Products Affected
ovirt
- ovirt
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor