A stored XSS vulnerability was discovered in ovirt-engine 4.2. Sanitation of HTML elements was not applied correctly to all fields, shows in the management console. An attacker with VM Admin permissions could use this vulnerability to launch XSS attacks against other VM or Cluster administrators.
Find out more about CVE-2018-1000095 from the MITRE CVE dictionary dictionary and NIST NVD.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
CVSS3 Base Score | 7.2 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H |
Attack Vector | Local |
Attack Complexity | High |
Privileges Required | High |
User Interaction | Required |
Scope | Changed |
Confidentiality | High |
Integrity Impact | High |
Availability Impact | High |
Platform | Package | State |
---|---|---|
Red Hat Virtualization 4 | ovirt-engine | Not affected |