oVirt contains two vulnerabilities; one that may allow an attacker to take over a session and perform actions on a target's behalf within the context of an already authenticated session, and another that allows for cross-site request forgeries, which allows an attacker to execute commands on the target's behalf.
oVirt 3.4 and possibly other versions
An attacker may trick a user into clicking a maliciously crafted link, allowing an attacker to hijack an existing session. Once the session is hijacked, the attacker may perform any actions available to the user, on the user's behalf.
Cross-site Request Forgery
Exploitation of this vulnerability is possible via forged HTTP requests forms. Attackers who successfully exploit this vulnerability may be able execute user actions.
BeyondTrust Prevention and Detection:
BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.
- 33541 - oVirt 3.4 and Prior Multiple Vulnerabilities (Zero-Day)
No mitigations are currently available.