BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to the Zeroday Tracker: Your Vulnerability Watchlist

Get critical updates on the latest zeroday threats, including impact, mitigation and protection information - only from BeyondTrust.

oVirt 3.4 Session Fixation and CSRF Vulnerabilities

Disclosed March 17, 2014

Vulnerability Description:

oVirt contains two vulnerabilities; one that may allow an attacker to take over a session and perform actions on a target's behalf within the context of an already authenticated session, and another that allows for cross-site request forgeries, which allows an attacker to execute commands on the target's behalf.

Vendors:

Red Hat

Vulnerable Software/Devices:

oVirt 3.4 and possibly other versions

Vulnerability Severity:

Medium

Exploit Availability:

N/A

Exploit Impact:

Session Hijacking
An attacker may trick a user into clicking a maliciously crafted link, allowing an attacker to hijack an existing session. Once the session is hijacked, the attacker may perform any actions available to the user, on the user's behalf.

Cross-site Request Forgery
Exploitation of this vulnerability is possible via forged HTTP requests forms. Attackers who successfully exploit this vulnerability may be able execute user actions.

BeyondTrust Prevention and Detection:

BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.

  • 33541 - oVirt 3.4 and Prior Multiple Vulnerabilities (Zero-Day)

Mitigation:

No mitigations are currently available.

Links:

CVE(s):

None