National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • CPE Product Version: cpe:/a:redhat:cloudforms_management_engine:5.1
There are 10 matching records.
Vuln ID Summary CVSS Severity
CVE-2016-7071

It was found that the CloudForms before 5.6.2.2, and 5.7.0.7 did not properly apply permissions controls to VM IDs passed by users. A remote, authenticated attacker could use this flaw to execute arbitrary VMs on systems managed by CloudForms if they know the ID of the VM.

Published: September 10, 2018; 11:29:00 AM -04:00
V3: 8.8 HIGH
V2: 9.0 HIGH
CVE-2017-2632

A logic error in valid_role() in CloudForms role validation before 5.7.1.3 could allow a tenant administrator to create groups with a higher privilege level than the tenant administrator should have. This would allow an attacker with tenant administration access to elevate privileges.

Published: July 27, 2018; 03:29:00 PM -04:00
V3: 4.9 MEDIUM
V2: 4.0 MEDIUM
CVE-2017-2653

A number of unused delete routes are present in CloudForms before 5.7.2.1 which can be accessed via GET requests instead of just POST requests. This could allow an attacker to bypass the protect_from_forgery XSRF protection causing the routes to be used. This attack would require additional cross-site scripting or similar attacks in order to execute.

Published: July 27, 2018; 02:29:01 PM -04:00
V3: 6.5 MEDIUM
V2: 4.0 MEDIUM
CVE-2017-15125

A flaw was found in CloudForms before 5.9.0.22 in the self-service UI snapshot feature where the name field is not properly sanitized for HTML and JavaScript input. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms. Please note that CSP (Content Security Policy) prevents exploitation of this XSS however not all browsers support CSP.

Published: July 27, 2018; 11:29:00 AM -04:00
V3: 5.4 MEDIUM
V2: 3.5 LOW
CVE-2017-2664

CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1 lacks RBAC controls on certain methods in the rails application portion of CloudForms. An attacker with access could use a variety of methods within the rails application portion of CloudForms to escalate privileges.

Published: July 26, 2018; 10:29:00 AM -04:00
V3: 6.5 MEDIUM
V2: 4.0 MEDIUM
CVE-2017-7530

In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should not be allowed to (e.g. destroying VMs).

Published: July 26, 2018; 09:29:00 AM -04:00
V3: 8.8 HIGH
V2: 6.5 MEDIUM
CVE-2014-0087

The check_privileges method in vmdb/app/controllers/application_controller.rb in ManageIQ, as used in Red Hat CloudForms Management Engine (CFME), allows remote authenticated users to bypass authorization and gain privileges by leveraging improper RBAC checking, related to the rbac_user_edit action.

Published: January 11, 2018; 11:29:00 AM -05:00
V3: 8.8 HIGH
V2: 6.5 MEDIUM
CVE-2013-2050

SQL injection vulnerability in the miq_policy controller in Red Hat CloudForms 2.0 Management Engine (CFME) 5.1 and ManageIQ Enterprise Virtualization Manager 5.0 and earlier allows remote authenticated users to execute arbitrary SQL commands via the profile[] parameter in an explorer action.

Published: January 10, 2014; 08:55:02 PM -05:00
V2: 7.5 HIGH
CVE-2013-2068

Multiple directory traversal vulnerabilities in the AgentController in Red Hat CloudForms Management Engine 2.0 allow remote attackers to create and overwrite arbitrary files via a .. (dot dot) in the filename parameter to the (1) log, (2) upload, or (3) linuxpkgs method.

Published: September 28, 2013; 03:55:02 PM -04:00
V2: 9.4 HIGH
CVE-2013-4172

The Red Hat CloudForms Management Engine 5.1 allow remote administrators to execute arbitrary Ruby code via unspecified vectors.

Published: August 23, 2013; 12:55:07 PM -04:00
V2: 8.5 HIGH