What is the vulnerability ID for this cross-site scripting vulnerability?

The vulnerability ID for this cross-site scripting vulnerability is CVE-2019-19336.

What is the severity of CVE-2019-19336?

CVE-2019-19336 has a severity value of 6.1, which is considered medium.

What software versions are affected by CVE-2019-19336?

The versions affected by CVE-2019-19336 include oVirt-engine before version 4.3.8, ovirt-engine-dwh version 0:4.3.8-1.el7e, ovirt-engine-metrics version 0:1.3.6.2-1.el7e, ovirt-fast-forward-upgrade version 0:1.0.0-16.el7e, ovirt-imageio-common version 0:1.5.3-0.el7e, ovirt-imageio-proxy version 0:1.5.3-0.el7e, ovirt-web-ui version 0:1.6.0-2.el7e, rhv-log-collector-analyzer version 0:0.2.15-0.el7e, and v2v-conversion-host version 0:1.16.0-3.el7e.

How can an attacker exploit CVE-2019-19336?

An attacker can exploit CVE-2019-19336 by crafting malicious HTML pages that can run scripts in the context of the user.

Is there a fix for CVE-2019-19336?

Yes, the fix for CVE-2019-19336 is to upgrade to oVirt-engine version 4.3.8.

Vulnerability/
CVE-2019-19336

medium

6.1

CWE

9/12/2019

11/1/2020

16/2/2021

CVE-2019-19336: XSS

First published: Mon Dec 09 2019(Updated: )

A cross-site scripting vulnerability was reported in the oVirt-engine's OAuth authorization endpoint before version 4.3.8. URL parameters were included in the HTML response without escaping. This flaw would allow an attacker to craft malicious HTML pages that can run scripts in the context of the user's oVirt session.

Credit: secalert@redhat.com

Affected Software	Affected Version	How to fix
Ovirt Ovirt-engine	<4.3.8
Redhat Virtualization	=4.3
redhat/ovirt-engine-dwh	<0:4.3.8-1.el7e	0:4.3.8-1.el7e
redhat/ovirt-engine-metrics	<0:1.3.6.2-1.el7e	0:1.3.6.2-1.el7e
redhat/ovirt-fast-forward-upgrade	<0:1.0.0-16.el7e	0:1.0.0-16.el7e
redhat/ovirt-imageio-common	<0:1.5.3-0.el7e	0:1.5.3-0.el7e
redhat/ovirt-imageio-proxy	<0:1.5.3-0.el7e	0:1.5.3-0.el7e
redhat/ovirt-web-ui	<0:1.6.0-2.el7e	0:1.6.0-2.el7e
redhat/rhv-log-collector-analyzer	<0:0.2.15-0.el7e	0:0.2.15-0.el7e
redhat/v2v-conversion-host	<0:1.16.0-3.el7e	0:1.16.0-3.el7e

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is the vulnerability ID for this cross-site scripting vulnerability?
The vulnerability ID for this cross-site scripting vulnerability is CVE-2019-19336.
What is the severity of CVE-2019-19336?
CVE-2019-19336 has a severity value of 6.1, which is considered medium.
What software versions are affected by CVE-2019-19336?
The versions affected by CVE-2019-19336 include oVirt-engine before version 4.3.8, ovirt-engine-dwh version 0:4.3.8-1.el7e, ovirt-engine-metrics version 0:1.3.6.2-1.el7e, ovirt-fast-forward-upgrade version 0:1.0.0-16.el7e, ovirt-imageio-common version 0:1.5.3-0.el7e, ovirt-imageio-proxy version 0:1.5.3-0.el7e, ovirt-web-ui version 0:1.6.0-2.el7e, rhv-log-collector-analyzer version 0:0.2.15-0.el7e, and v2v-conversion-host version 0:1.16.0-3.el7e.
How can an attacker exploit CVE-2019-19336?
An attacker can exploit CVE-2019-19336 by crafting malicious HTML pages that can run scripts in the context of the user.
Is there a fix for CVE-2019-19336?
Yes, the fix for CVE-2019-19336 is to upgrade to oVirt-engine version 4.3.8.

agent/author
agent/description
agent/event
agent/first-publish-date
agent/last-modified-date
agent/references
agent/severity
agent/softwarecombine
agent/tags
agent/type
agent/weakness
collector/nvd-index
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2019-19336
agent/software-canonical-lookup
collector/redhat-cve
vendor/ovirt
canonical/ovirt ovirt-engine
vendor/redhat
canonical/redhat virtualization
version/redhat virtualization/4.3
package-manager/redhat