CVE-2014-0154
ovirt-engine-webadmin: HttpOnly flag is not included when the session ID is set
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
oVirt Engine before 3.5.0 does not include the HTTPOnly flag in a Set-Cookie header for the session IDs, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
oVirt Engine anterior a 3.5.0 no incluye el indicador HTTPOnly en una cabecera Set-Cookie para los identificadores de la sesión, lo que facilita a atacantes remotos obtener información potencialmente sensible a través del acceso de secuencias de comandos a esta cookie.
It was found that the oVirt web admin interface did not include the HttpOnly flag when setting session IDs with the Set-Cookie header. This flaw could make it is easier for a remote attacker to hijack an oVirt web admin session by leveraging a cross-site scripting (XSS) vulnerability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2013-12-03 CVE Reserved
- 2015-02-12 CVE Published
- 2023-03-07 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-522: Insufficiently Protected Credentials
CAPEC
References (4)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2015-0158.html | 2023-02-13 |
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1077450 | 2023-02-13 | |
| https://access.redhat.com/security/cve/CVE-2014-0154 | 2015-02-11 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1081896 | 2015-02-11 |