A cross-site scripting (XSS) flaw was found in the RedirectServlet of the oVirt Engine. A remote attacker could provide a specially-crafted link, that when visited by an unsuspecting oVirt user would lead to arbitrary script execution in the context of the oVirt domain. Access to the RedirectServer does not require authentication.
einav - this gerrit ID is for master.
for bug to be ON_QA it should be in the 3.3 branch (and have a build with it?
(In reply to Itamar Heim from comment #1)
> einav - this gerrit ID is for master.
> for bug to be ON_QA it should be in the 3.3 branch (and have a build with it?
I haven't actually put it on ON_QA, nevertheless:
- patch has been merged to every possible branch, not only "master" (will update the External Tracker shortly)
- http://lists.ovirt.org/pipermail/users/2013-September/016268.html (3.2 Async announcement)
- http://lists.ovirt.org/pipermail/users/2013-September/016269.html (3.3 announcement)
closing as this should be in 3.3 (doing so in bulk, so may be incorrect)