CVE-2019-19336

Name of the Vulnerable Software and Affected Versions oVirt-engine versions prior to 4.3.8

Description A cross-site scripting issue was reported in the OAuth authorization endpoint. The flaw occurs because URL parameters are included in the HTML response without proper escaping, allowing an attacker to craft malicious HTML pages that can run scripts in the context of the user's oVirt session.

Recommendations For versions prior to 4.3.8, update to version 4.3.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the OAuth authorization endpoint until the update can be applied.