Jeremy Choi (jechoi) of Red Hat reports: Description of problem: Since the web console is using 'Basic authentication' and the REST API has no CSRF attack protection mechanism, the credential, the Authorization: header, can be sent when requesting the REST API via web browser. As a result, while users are authenticated malicious links or scripts provided by attackers can cause unwanted action.
Acknowledgements: This issue was discovered by Jeremy Choi of the Red Hat Hosted and Shared Services team.
This issue was addressed in http://rhn.redhat.com/errata/RHEA-2013-1031.html