Chen Huiliang

**Name of the Vulnerable Software and Affected Versions** ovirt versions 4.4 and earlier **Description** A flaw was found in Ovirt Engine's web interface where it did not filter user-controllable parameters completely, resulting in a reflected cross-site scripting attack. This flaw allows an attacker to leverage a phishing attack, steal an unsuspecting user's cookies or other confidential information, or impersonate them within the application's context. **Recommendations** For ovirt versions 4.4 and earlier, update to a version that includes the fix for this issue to prevent reflected cross-site scripting attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** oVirt-engine versions 4.4 and earlier **Description** The issue allows remote attackers to redirect users to arbitrary web sites and attempt phishing attacks. Once the target has opened the malicious URL in their browser, the critical part of the URL is no longer visible. The highest threat from this vulnerability is on confidentiality. It is related to the use of open redirect, which can be exploited by a remote attacker to redirect a user to a specially crafted link. **Recommendations** For versions 4.4 and earlier, update to a version later than 4.4 to resolve the issue. At the moment, there is no information about other specific fixes for this vulnerability.