A cross-site scripting (XSS) flaw was found in the RedirectServlet of the oVirt Engine and Red Hat Enterprise Virtualization Manager (RHEV-M). A remote attacker could provide a specially-crafted link, that when visited by an unsuspecting RHEV-M / oVirt user would lead to arbitrary script execution in the context of the RHEV-M / oVirt domain. Access to the RedirectServlet does not require authentication.
This problem is in the addAlert method of the RedirectServlet:
Red Hat would like to thank Kayhan KAYIHAN of Endersys A.Ş. for reporting this issue.
This issue has been addressed in following products:
RHEV Manager version 3.2
Via RHSA-2013:1210 https://rhn.redhat.com/errata/RHSA-2013-1210.html