Public Date:
1081896: CVE-2014-0154 ovirt-engine-webadmin: HttpOnly flag is not included when the session ID is set
It was found that the oVirt web admin interface did not include the HttpOnly flag when setting session IDs with the Set-Cookie header. This flaw could make it is easier for a remote attacker to hijack an oVirt web admin session by leveraging a cross-site scripting (XSS) vulnerability.

Find out more about CVE-2014-0154 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 4.3
Base Metrics AV:N/AC:M/Au:N/C:N/I:P/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact None
Integrity Impact Partial
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
RHEV Manager 3 (org.ovirt.engine-root) RHSA-2015:0158 2015-02-11

Affected Packages State

Platform Package State
RHEV Manager 3 ovirt-engine-webadmin-portal Will not fix
Last Modified