CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2018-1073 – ovirt-engine: account enumeration through login to web console
https://notcve.org/view.php?id=CVE-2018-1073
The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and invalid passwords, allowing an attacker to discover the names of valid user accounts. El formulario de inicio de sesión en la consola web de ovirt-engine, en versiones anteriores a la 4.2.3, devolvió errores diferentes para usuarios inexistentes y contraseñas no válidas, lo que permitió que un atacante descubriese los nombres de cuentas de usuario válidas. The ovirt-engine web console login form returned different errors for non-existent users and invalid passwords, allowing an attacker to discover the names of valid user accounts. • http://www.securityfocus.com/bid/104189 https://access.redhat.com/errata/RHSA-2018:1525 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1073 https://access.redhat.com/security/cve/CVE-2018-1073 https://bugzilla.redhat.com/show_bug.cgi?id=1553525 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2014-0151 – ovirt-engine: cross-site request forgery (CSRF)
https://notcve.org/view.php?id=CVE-2014-0151
Cross-site request forgery (CSRF) vulnerability in oVirt Engine before 3.5.0 beta2 allows remote attackers to hijack the authentication of users for requests that perform unspecified actions via a REST API request. Vulnerabilidad de CSRF en oVirt Engine anterior a 3.5.0 beta2 permite a atacantes remotos secuestrar la autenticación de usuarios para solicitudes que realizan acciones no especificadas a través de una solicitud REST API. A Cross-Site Request Forgery (CSRF) flaw was found in the oVirt REST API. A remote attacker could provide a specially crafted web page that, when visited by a user with a valid REST API session, would allow the attacker to trigger calls to the oVirt REST API. • http://rhn.redhat.com/errata/RHSA-2015-0158.html http://www.ovirt.org/OVirt_3.5_Release_Notes https://bugzilla.redhat.com/show_bug.cgi?id=1077441 https://access.redhat.com/security/cve/CVE-2014-0151 https://bugzilla.redhat.com/show_bug.cgi?id=1081849 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.8EPSS: 0%CPEs: 10EXPL: 0CVE-2014-0152 – ovirt-engine-webadmin: session fixation
https://notcve.org/view.php?id=CVE-2014-0152
Session fixation vulnerability in the web admin interface in oVirt 3.4.0 and earlier allows remote attackers to hijack web sessions via unspecified vectors. Vulnerabilidad de fijación de sesión en la interfaz de administración web en oVirt 3.4.0 y anteriores permite a atacantes remotos secuestrar sesiones web a través de vectores no especificados. • http://gerrit.ovirt.org/#/c/25959 http://www.ovirt.org/Security_advisories https://access.redhat.com/security/cve/CVE-2014-0152 https://bugzilla.redhat.com/show_bug.cgi?id=1081860 • CWE-384: Session Fixation •