2017-10-16 15:00:00
redhat
PUBLISHED
oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote authenticated users with knowledge of another users session data to gain that users privileges by replacing their session token with that of another user.