It was found that the oVirt web admin interface did not generate a new session ID after authenticating a user. A remote attacker could use this flaw to perform session fixation attacks.
Upstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=1077446 Upstream patch commit: http://gerrit.ovirt.org/#/c/25959/
Created ovirt-engine tracking bugs for this issue: Affects: fedora-all [bug 1081912]
This issue has been addressed in following products: RHEV Manager version 3.4 Via RHSA-2014:0506 https://rhn.redhat.com/errata/RHSA-2014-0506.html