Page 5 of 25 results (0.015 seconds)

CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0

oVirt Engine before 4.0.3 does not include DWH_DB_PASSWORD in the list of keys to hide in log files, which allows local users to obtain sensitive password information by reading engine log files. oVirt Engine en versiones anteriores a 4.0.3 no incluye DWH_DB_PASSWORD en el listado de claves que se ocultan en los archivos de registro, lo que permite a usuarios locales obtener información sensible de contraseñas mediante la lectura de los archivos de registro de motor. • http://www.securityfocus.com/bid/92665 https://bugzilla.redhat.com/show_bug.cgi?id=1363816 https://bugzilla.redhat.com/show_bug.cgi?id=1369793 https://www.ovirt.org/release/4.0.3 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0

oVirt Engine before 3.5.0 does not include the HTTPOnly flag in a Set-Cookie header for the session IDs, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. oVirt Engine anterior a 3.5.0 no incluye el indicador HTTPOnly en una cabecera Set-Cookie para los identificadores de la sesión, lo que facilita a atacantes remotos obtener información potencialmente sensible a través del acceso de secuencias de comandos a esta cookie. It was found that the oVirt web admin interface did not include the HttpOnly flag when setting session IDs with the Set-Cookie header. This flaw could make it is easier for a remote attacker to hijack an oVirt web admin session by leveraging a cross-site scripting (XSS) vulnerability. • http://rhn.redhat.com/errata/RHSA-2015-0158.html https://bugzilla.redhat.com/show_bug.cgi?id=1077450 https://access.redhat.com/security/cve/CVE-2014-0154 https://bugzilla.redhat.com/show_bug.cgi?id=1081896 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

The REST API in oVirt 3.4.0 and earlier stores session IDs in HTML5 local storage, which allows remote attackers to obtain sensitive information via a crafted web page. La API REST en oVirt 3.4.0 y anteriores almacena los IDs de sesiones en almacenaje local HTML5, lo que permite a atacantes remotos obtener información sensible a través de una página web manipulada. • http://gerrit.ovirt.org/#/c/25987 http://www.ovirt.org/Security_advisories https://access.redhat.com/security/cve/CVE-2014-0153 https://bugzilla.redhat.com/show_bug.cgi?id=1081875 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •

CVSS: 6.8EPSS: 0%CPEs: 10EXPL: 0

Session fixation vulnerability in the web admin interface in oVirt 3.4.0 and earlier allows remote attackers to hijack web sessions via unspecified vectors. Vulnerabilidad de fijación de sesión en la interfaz de administración web en oVirt 3.4.0 y anteriores permite a atacantes remotos secuestrar sesiones web a través de vectores no especificados. • http://gerrit.ovirt.org/#/c/25959 http://www.ovirt.org/Security_advisories https://access.redhat.com/security/cve/CVE-2014-0152 https://bugzilla.redhat.com/show_bug.cgi?id=1081860 • CWE-384: Session Fixation •

CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0

The python SDK before 3.1.0.6 and CLI before 3.1.0.8 for oVirt 3.1 does not check the server SSL certificate against the client keys, which allows remote attackers to spoof a server via a man-in-the-middle (MITM) attack. El SDK de Python antes de v3.1.0.6 y v3.1.0.8 y CLI antes de v3.1.0.8 para oVirt v3.1 no comprueban el certificado SSL de servidor contra las claves de cliente, lo que permite a atacantes remotos falsificar un servidor a través de un ataque man-in-the-middle (MITM). • http://gerrit.ovirt.org/#/c/7209 http://gerrit.ovirt.org/#/c/7249 http://secunia.com/advisories/50409 http://www.openwall.com/lists/oss-security/2012/08/24/6 http://www.openwall.com/lists/oss-security/2012/08/26/1 http://www.securityfocus.com/bid/55208 https://bugzilla.redhat.com/show_bug.cgi?id=851672 https://exchange.xforce.ibmcloud.com/vulnerabilities/77984 • CWE-310: Cryptographic Issues •