← Back

CVE-2019-19336

nvd nist
Published: Mar 19, 2020Modified: Nov 21, 2024

JSON object

Loading...
6.1
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Exploitability: 2.8 / Impact: 2.7
Source: NVD

Description

A cross-site scripting vulnerability was reported in the oVirt-engine's OAuth authorization endpoint before version 4.3.8. URL parameters were included in the HTML response without escaping. This flaw would allow an attacker to craft malicious HTML pages that can run scripts in the context of the user's oVirt session.

Affected (2)

Ovirt
1 product
Ovirt Engine
Redhat
1 product
Virtualization
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Ovirt Engine
Before 4.3.8
Configuration B
1 vulnerable
Vulnerable SoftwareAffected Versions
Virtualization
Version 4.3

Related CWEs

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

Source: secalert@redhat.com
Issue TrackingThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Issue TrackingThird Party Advisory

Timeline

No history available yet.