Skip to main content

Ovirt Engine CVE-2020-14333

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2020-08-18 secalert@redhat.com
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Aug 18, 2020 - 14:15 nvd
MEDIUM 6.1

DescriptionNVD

A flaw was found in Ovirt Engine's web interface in ovirt 4.4 and earlier, where it did not filter user-controllable parameters completely, resulting in a reflected cross-site scripting attack. This flaw allows an attacker to leverage a phishing attack, steal an unsuspecting user's cookies or other confidential information, or impersonate them within the application's context.

AnalysisAI

A flaw was found in Ovirt Engine's web interface in ovirt 4.4 and earlier, where it did not filter user-controllable parameters completely, resulting in a reflected cross-site scripting attack. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. A flaw was found in Ovirt Engine's web interface in ovirt 4.4 and earlier, where it did not filter user-controllable parameters completely, resulting in a reflected cross-site scripting attack. This flaw allows an attacker to leverage a phishing attack, steal an unsuspecting user's cookies or other confidential information, or impersonate them within the application's context. Affected products include: Ovirt Ovirt-Engine.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2024-0822 HIGH POC
7.5 Jan 25

An authentication bypass vulnerability was found in overt-engine. Rated high severity (CVSS 7.5), this vulnerability is

CVE-2014-7851 HIGH
7.5 Oct 16

oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote au

CVE-2016-3113 MEDIUM
6.1 Aug 07

Cross-site scripting (XSS) vulnerability in ovirt-engine allows remote attackers to inject arbitrary web script or HTML.

CVE-2014-0152 MEDIUM
6.8 Sep 08

Session fixation vulnerability in the web admin interface in oVirt 3.4.0 and earlier allows remote attackers to hijack w

CVE-2014-0151 MEDIUM
6.8 Feb 13

Cross-site request forgery (CSRF) vulnerability in oVirt Engine before 3.5.0 beta2 allows remote attackers to hijack the

CVE-2016-3077 MEDIUM
6.5 Jun 06

The VersionMapper.fromKernelVersionString method in oVirt Engine allows remote authenticated users to cause a denial of

CVE-2020-35497 MEDIUM
6.5 Dec 21

A flaw was found in ovirt-engine 4.4.3 and earlier allowing an authenticated user to read other users' personal informat

CVE-2022-3193 MEDIUM
6.1 Sep 28

An HTML injection/reflected Cross-site scripting (XSS) vulnerability was found in the ovirt-engine. Rated medium severit

CVE-2020-10775 MEDIUM
5.3 Aug 24

An Open redirect vulnerability was found in ovirt-engine versions 4.4 and earlier, where it allows remote attackers to r

CVE-2018-1073 MEDIUM
5.3 Jun 19

The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and inv

CVE-2018-1062 MEDIUM
5.3 Mar 06

A vulnerability was discovered in oVirt 4.1.x before 4.1.9, where the combination of Enable Discard and Wipe After Delet

CVE-2024-7259 MEDIUM
4.9 Sep 26

A flaw was found in oVirt. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack comp

Share

CVE-2020-14333 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy