| |
Vulnerability CVE-2014-7851
Published: 2017-10-16
| Description: |
oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote authenticated users with knowledge of another user's session data to gain that user's privileges by replacing their session token with that of another user. |
Type:
CWE-264 (Permissions, Privileges, and Access Controls)
CVSS2 => (AV:N/AC:M/Au:S/C:P/I:P/A:P)
| CVSS Base Score |
Impact Subscore |
Exploitability Subscore |
6/10 |
6.4/10 |
6.8/10 |
| Exploit range |
Attack complexity |
Authentication |
Remote |
Medium |
Single time |
| Confidentiality impact |
Integrity impact |
Availability impact |
Partial |
Partial |
Partial |
References: |
https://bugzilla.redhat.com/show_bug.cgi?id=1161730
https://bugzilla.redhat.com/show_bug.cgi?id=1165311
|
|
|
Copyright 2024, cxsecurity.com
|
|
|
