It was found that the oVirt web admin interface did not include the HttpOnly flag when setting session IDs with the Set-Cookie header. As a result, it is easier for remote attackers to hijack an oVirt web admin session by leveraging a cross-site scripting (XSS) vulnerability.
Upstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=1077450 Upstream patch commit: http://gerrit.ovirt.org/#/c/25915/
Created ovirt-engine tracking bugs for this issue: Affects: fedora-all [bug 1081929]
This issue has been addressed in the following products: RHEV Manager version 3.5 Via RHSA-2015:0158 https://rhn.redhat.com/errata/RHSA-2015-0158.html