It was found that the oVirt web admin interface stored session IDs in HTML5 local storage. A remote attacker could provide a specially crafted web page that, when visited by a user with a valid REST API session, would allow the attacker to read the session ID from local storage. This is possible because HTML5 local storage is not protected by the same-origin policy (SOP).
Upstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=1077448 Upstream patch commit: http://gerrit.ovirt.org/#/c/25987/
Created ovirt-engine tracking bugs for this issue: Affects: fedora-all [bug 1081926]
Note that the RESTAPI doesn't store the session IDs anywhere, it is the client that does so, in this case the UI. I have changed the component in the tracking bugs accordingly.
This issue has been addressed in following products: RHEV Manager version 3.4 Via RHSA-2014:0506 https://rhn.redhat.com/errata/RHSA-2014-0506.html