Vulnerabilities > Ovirt > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-09-28 | CVE-2022-3193 | Cross-site Scripting vulnerability in Ovirt Ovirt-Engine 4.3.0 An HTML injection/reflected Cross-site scripting (XSS) vulnerability was found in the ovirt-engine. | 6.1 |
| 2022-08-26 | CVE-2022-0207 | Race Condition vulnerability in multiple products A race condition was found in vdsm. | 4.7 |
| 2020-12-21 | CVE-2020-35497 | Improper Access Control vulnerability in multiple products A flaw was found in ovirt-engine 4.4.3 and earlier allowing an authenticated user to read other users' personal information, including name, email and public SSH key. | 6.5 |
| 2020-08-18 | CVE-2020-14333 | Cross-site Scripting vulnerability in Ovirt Ovirt-Engine A flaw was found in Ovirt Engine's web interface in ovirt 4.4 and earlier, where it did not filter user-controllable parameters completely, resulting in a reflected cross-site scripting attack. | 6.1 |
| 2020-03-19 | CVE-2019-19336 | Cross-site Scripting vulnerability in multiple products A cross-site scripting vulnerability was reported in the oVirt-engine's OAuth authorization endpoint before version 4.3.8. | 4.3 |
| 2019-12-02 | CVE-2012-4480 | Improper Privilege Management vulnerability in multiple products mom creates world-writable pid files in /var/run | 4.6 |
| 2019-11-25 | CVE-2012-5518 | Improper Certificate Validation vulnerability in Ovirt Vdsm vdsm: certificate generation upon node creation allowing vdsm to start and serve requests from anyone who has a matching key (and certificate) | 4.3 |
| 2019-11-01 | CVE-2013-4367 | Incorrect Permission Assignment for Critical Resource vulnerability in Ovirt Ovirt-Engine 3.2 ovirt-engine 3.2 running on Linux kernel 3.1 and newer creates certain files world-writeable due to an upstream kernel change which impacted how python's os.chmod() works when passed a mode of '-1'. | 4.6 |
| 2019-07-11 | CVE-2019-10194 | Information Exposure Through Log Files vulnerability in multiple products Sensitive passwords used in deployment and configuration of oVirt Metrics, all versions. | 5.5 |
| 2019-03-25 | CVE-2019-3879 | Missing Authorization vulnerability in multiple products It was discovered that in the ovirt's REST API before version 4.3.2.1, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped. | 5.5 |