CloudStack console access is implemented as a AJAX application that can run on most of popular browsers on various operating platforms. It inherits some common security implications from of browser-based platformsapplications. This improvement mainly focuses to improve the security against following attacks that are common to browser-based applications.
...
A malicious user uses his/her login to CloudStack system, open a valid console access session to a VM, the user can use tools to learn the console startup URL, manipulate it to try to gain access to VMs that he/she does not have privilege to view.
To authenticate a valid console access, following authentication process will be gone through
1) User requests for a console access to a selected VM, the request is usually sent over HTTPS to CloudStack management server
...
7) If the access is granted, a an internal console session to the hypervisor that hosts the VM will be initiated and information will be passed back to Console proxy VM through the same agent/management server Channel
...
Two hidden configuration variables are added to store the encryption key and IV vector
...