RedHat RHSA-2020-3247-01 Important: RHV Manager Security Update

The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.
The Manager is a JBoss Application Server application that provides several interfaces through which the virtual environment can be accessed and interacted with, including an Administration Portal, a VM Portal, and a Representational State Transfer (REST) Application Programming Interface (API).
A list of bugs fixed in this update is available in the Technical Notes book:
ml-single/technical_notes
Security Fix(es):
* apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086)
* libquartz: XXE attacks via job description (CVE-2019-13990)
* novnc: XSS vulnerability via the messages propagated to the status field (CVE-2017-18635)
* bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331)
* nimbus-jose-jwt: Uncaught exceptions while parsing a JWT (CVE-2019-17195)
* ovirt-engine: response_type parameter allows reflected XSS (CVE-2019-19336)
* nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload (CVE-2020-7598)
* ovirt-engine: Redirect to arbitrary URL allows for phishing (CVE-2020-10775)
* Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* jQuery: passing HTML containing elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.