Red Hat Bugzilla – Bug 988774
CVE-2013-4181 ovirt-engine: RedirectServlet cross-site scripting flaw
Last modified: 2016-12-04 15:44:00 EST
A cross-site scripting (XSS) flaw was found in the RedirectServlet of the oVirt Engine and Red Hat Enterprise Virtualization Manager (RHEV-M). A remote attacker could provide a specially-crafted link, that when visited by an unsuspecting RHEV-M / oVirt user would lead to arbitrary script execution in the context of the RHEV-M / oVirt domain. Access to the RedirectServlet does not require authentication.
This problem is in the addAlert method of the RedirectServlet:
Red Hat would like to thank Kayhan KAYIHAN of Endersys A.Ş. for reporting this issue.
This issue has been addressed in following products:
RHEV Manager version 3.2
Via RHSA-2013:1210 https://rhn.redhat.com/errata/RHSA-2013-1210.html