U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. VulnerabilitiesSearch And Statistics

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:redhat:cloudforms_management_engine:5.7.1.3:*:*:*:*:*:*:*
  • CPE Name Search: true
There are 7 matching records.
Displaying matches 1 through 7.
Vuln ID Summary CVSS Severity
CVE-2020-14324

A high severity vulnerability was found in all active versions of Red Hat CloudForms before 5.11.7.0. The out of band OS command injection vulnerability can be exploited by authenticated attacker while setuping conversion host through Infrastructure Migration Solution. This flaw allows attacker to execute arbitrary commands on CloudForms server.

Published: August 11, 2020; 10:15:11 AM -0400 		V4.0:(not available)
 V3.1: 9.1 CRITICAL
V2.0: 6.5 MEDIUM
CVE-2014-0197

CFME: CSRF protection vulnerability via permissive check of the referrer header

Published: December 13, 2019; 8:15:10 AM -0500 		V4.0:(not available)
 V3.1: 8.8 HIGH
V2.0: 6.8 MEDIUM
CVE-2016-7047

A flaw was found in the CloudForms API before 5.6.3.0, 5.7.3.1 and 5.8.1.2. A user with permissions to use the MiqReportResults capability within the API could potentially view data from other tenants or groups to which they should not have access.

Published: September 11, 2018; 9:29:00 AM -0400 		V4.0:(not available)
 V3.0: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-2653

A number of unused delete routes are present in CloudForms before 5.7.2.1 which can be accessed via GET requests instead of just POST requests. This could allow an attacker to bypass the protect_from_forgery XSRF protection causing the routes to be used. This attack would require additional cross-site scripting or similar attacks in order to execute.

Published: July 27, 2018; 2:29:01 PM -0400 		V4.0:(not available)
 V3.0: 6.5 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-15125

A flaw was found in CloudForms before 5.9.0.22 in the self-service UI snapshot feature where the name field is not properly sanitized for HTML and JavaScript input. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms. Please note that CSP (Content Security Policy) prevents exploitation of this XSS however not all browsers support CSP.

Published: July 27, 2018; 11:29:00 AM -0400 		V4.0:(not available)
 V3.0: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2017-2664

CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1 lacks RBAC controls on certain methods in the rails application portion of CloudForms. An attacker with access could use a variety of methods within the rails application portion of CloudForms to escalate privileges.

Published: July 26, 2018; 10:29:00 AM -0400 		V4.0:(not available)
 V3.0: 6.5 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-7530

In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should not be allowed to (e.g. destroying VMs).

Published: July 26, 2018; 9:29:00 AM -0400 		V4.0:(not available)
 V3.0: 8.8 HIGH
V2.0: 6.5 MEDIUM