CVE-2019-19336

CWE-79 — Cross-site Scripting (XSS)5 documents5 sources

Severity

6.1MEDIUM

EPSS

0.3%

top 46.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ovirt Ovirt-engine RED HAT Ovirt-engine Redhat Virtualization

Timeline

PublishedMar 19

Latest updateMay 24

Description

A cross-site scripting vulnerability was reported in the oVirt-engine's OAuth authorization endpoint before version 4.3.8. URL parameters were included in the HTML response without escaping. This flaw would allow an attacker to craft malicious HTML pages that can run scripts in the context of the user's oVirt session.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶NVDovirt/ovirt-engine< 4.3.8

▶CVEListV5red_hat/ovirt-engine4.3.8

▶NVDredhat/virtualization4.3

🔴Vulnerability Details

GHSA

GHSA-969f-386j-4c9x: A cross-site scripting vulnerability was reported in the oVirt-engine's OAuth authorization endpoint before version 4↗2022-05-24

▶

CVEList

CVE-2019-19336: A cross-site scripting vulnerability was reported in the oVirt-engine's OAuth authorization endpoint before version 4↗2020-03-19

▶

📋Vendor Advisories

Red Hat

ovirt-engine: response_type parameter allows reflected XSS↗2020-01-11

▶

💬Community

Bugzilla

CVE-2019-19336 ovirt-engine: response_type parameter allows reflected XSS↗2019-12-09

▶