Cross site request forgery (csrf)

The virtual router in Apache CloudStack before 4.2.1 does not preserve the source restrictions in firewall rules after being restarted, which allows remote attackers to bypass intended restrictions via a request...

Cross site request forgery (csrf)

The 1 ListNetworkACL and 2 listNetworkACLLists APIs in Apache CloudStack before 4.2.1 allow remote authenticated users to list network ACLS for other users via a crafted request...

CVE-2014-0031

The 1 ListNetworkACL and 2 listNetworkACLLists APIs in Apache CloudStack before 4.2.1 allow remote authenticated users to list network ACLS for other users via a crafted request...

CVE-2014-0031

Apache CloudStack (vulnerable: before 4.2.1) exposes an information disclosure via the ListNetworkACL and listNetworkACLLists APIs. The issue, caused by how crafted requests allow remote authenticated users to list network ACLs for other users, can reveal ACLs not owned by the attacker. Impact is...

CVE-2013-6398

CVE-2013-6398 affects Apache CloudStack virtual routers prior to 4.2.1. After a restart, firewall rules’ source restrictions were not preserved, allowing a remote attacker to bypass restrictions and access network resources. Public sources in connected documents (NVD entry and security advisories...

CVE-2013-6398

The virtual router in Apache CloudStack before 4.2.1 does not preserve the source restrictions in firewall rules after being restarted, which allows remote attackers to bypass intended restrictions via a request...

Apache CloudStack security vulnerabilities

Protection bypass, information leakage...

Updated [CVE-2014-0031] CloudStack ListNetworkACL API discloses ACLs for other users

Issued: January 9, 2014 Updated: January 10, 2014 CVE-2014-0031 CloudStack ListNetworkACL API discloses ACLs for other users Product: Apache CloudStack Vendor: Apache Software Foundation Vulnerability type: Information Disclosure Vulnerable Versions: Apache CloudStack 4.2.0 CVE References:...

Updated [CVE-2013-6398] CloudStack Virtual Router stop/start modifies firewall rules allowing additional access

Issued: November 27, 2013 Updated: January 10, 2014 CVE-2013-6398 CloudStack Virtual Router stop/start modifies firewall rules allowing additional access Product: Apache CloudStack Vendor: Apache Software Foundation Vulnerability type: Bypass Vulnerable Versions: Apache CloudStack 4.1.0, 4.1.1,...

Updated [CVE-2013-2136] Apache CloudStack Cross-site scripting (XSS) vulnerabiliity

Issued: August 6, 2013 Updated: August 7, 2013 Product: Apache CloudStack Vendor: The Apache Software Foundation Vulnerability Types: Cross-site scripting XSS Vulnerable versions: Apache CloudStack versions 4.0.0-incubating, 4.0.1-incubating, 4.0.2 and 4.1.0 CVE References: CVE-2013-2136 Risk...

CVE-2013-2136

Multiple cross-site scripting XSS vulnerabilities in Apache CloudStack before 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the 1 Physical network name to the Zone wizard; 2 New network name, 3 instance name, or 4 group to the Instance wizard; 5 unspecified "multi-edit...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in Apache CloudStack before 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the 1 Physical network name to the Zone wizard; 2 New network name, 3 instance name, or 4 group to the Instance wizard; 5 unspecified "multi-edit...

CVE-2013-2136

Multiple cross-site scripting XSS vulnerabilities in Apache CloudStack before 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the 1 Physical network name to the Zone wizard; 2 New network name, 3 instance name, or 4 group to the Instance wizard; 5 unspecified "multi-edit...

CVE-2013-2136

Apache CloudStack UI contains multiple cross-site scripting (XSS) vulnerabilities in versions up to 4.1.0, allowing authenticated/remote attackers to inject arbitrary script or HTML via fields in Zone, Network, Instance, global settings, and other UI inputs. The issue is fixed by upgrading to Clo...

Apache CloudStack多个跨站脚本漏洞

BUGTRAQ ID: 61638 CVECAN ID: CVE-2013-2136 Apache CloudStack是部署和管理大型虚拟机网络的开源软件。 Apache CloudStack 4.0.0-incubating, 4.0.1-incubating 4.0.2, 4.1.0的用户界面允许经过身份验证的用户对系统内的其他用户执行跨站脚本攻击。 0 Apache Group CloudStack 4.1.0 Apache Group CloudStack 4.0.2 Apache Group CloudStack 4.0.1-incubating Apache Group...

Apache CloudStack 身份验证绕过漏洞(CVE-2013-2756)

BUGTRAQ ID: 59463 CVECAN ID: CVE-2013-2756 Apache CloudStack是部署和管理大型虚拟机网络的开源软件。 Apache CloudStack 4.0.2之前版本存在安全绕过漏洞，熟悉Apache CloudStack源代码的攻击者可以未经授权访问另一个租户VM的控制台。 0 Apache Group CloudStack 4.x 厂商补丁： Apache Group ------------ 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： http://httpd.apache.org/...

CVE-2012-5616

Apache CloudStack 4.0.0-incubating and Citrix CloudPlatform formerly Citrix CloudStack before 3.0.6 stores sensitive information in the log4j.conf log file, which allows local users to obtain 1 the SSH private key as recorded by the createSSHKeyPair API, 2 the password of an added host as recorde...

Design/Logic Flaw

Apache CloudStack 4.0.0-incubating and Citrix CloudPlatform formerly Citrix CloudStack before 3.0.6 stores sensitive information in the log4j.conf log file, which allows local users to obtain 1 the SSH private key as recorded by the createSSHKeyPair API, 2 the password of an added host as recorde...

CVE-2012-5616

Apache CloudStack 4.0.0-incubating and Citrix CloudPlatform formerly Citrix CloudStack before 3.0.6 stores sensitive information in the log4j.conf log file, which allows local users to obtain 1 the SSH private key as recorded by the createSSHKeyPair API, 2 the password of an added host as recorde...

CVE-2012-5616

CVE-2012-5616 affects Apache CloudStack 4.0.0-incubating and Citrix CloudPlatform prior to 3.0.6, where sensitive data is logged in log4j.conf. This enables local users to obtain (1) SSH private keys from createSSHKeyPair, (2) host passwords from AddHost, and (3)/(4) VM passwords from DeployVM or...