Apache CloudStack 4.3 / 4.4 Unauthenticated LDAP Binds Vulnerability

Apache CloudStack may be configured to authenticate LDAP users. When so configured, it performs a simple LDAP bind with the name and password provided by a user. Simple LDAP binds are defined with three mechanisms RFC 4513: 1 username and password; 2 unauthenticated if only a username is specifie...

CVE-2013-2758

Apache CloudStack 4.0.0 before 4.0.2 and Citrix CloudPlatform formerly Citrix CloudStack 3.0.x before 3.0.6 Patch C uses a hash of a predictable sequence, which makes it easier for remote attackers to guess the console access URL via a brute force attack...

CVE-2013-2756

Apache CloudStack 4.0.0 before 4.0.2 and Citrix CloudPlatform formerly Citrix CloudStack 3.0.x before 3.0.6 Patch C allows remote attackers to bypass the console proxy authentication by leveraging knowledge of the source code...

Code injection

Apache CloudStack 4.0.0 before 4.0.2 and Citrix CloudPlatform formerly Citrix CloudStack 3.0.x before 3.0.6 Patch C allows remote attackers to bypass the console proxy authentication by leveraging knowledge of the source code...

Design/Logic Flaw

Apache CloudStack 4.0.0 before 4.0.2 and Citrix CloudPlatform formerly Citrix CloudStack 3.0.x before 3.0.6 Patch C uses a hash of a predictable sequence, which makes it easier for remote attackers to guess the console access URL via a brute force attack...

CVE-2013-2758

Apache CloudStack 4.0.0 before 4.0.2 and Citrix CloudPlatform formerly Citrix CloudStack 3.0.x before 3.0.6 Patch C uses a hash of a predictable sequence, which makes it easier for remote attackers to guess the console access URL via a brute force attack...

CVE-2013-2756

Apache CloudStack 4.0.0 before 4.0.2 and Citrix CloudPlatform formerly Citrix CloudStack 3.0.x before 3.0.6 Patch C allows remote attackers to bypass the console proxy authentication by leveraging knowledge of the source code...

CVE-2013-2756

The CVE-2013-2756 issue affects Apache CloudStack 4.0.0–4.0.1 (and Citrix CloudPlatform 3.0.x up to 3.0.5) where Patch C for the respective lines allows remote attackers to bypass the console proxy authentication by leveraging knowledge of the source code. The root cause is an authentication bypa...

CVE-2013-2758

CVE-2013-2758 affects Apache CloudStack 4.0.0–4.0.1 and Citrix CloudPlatform 3.0.x prior to 3.0.6 Patch C, which use a hash of a predictable sequence. This enables remote attackers to guess the console access URL via brute force. Remediation: upgrade to Apache CloudStack 4.0.2 or later, and Citri...

CVE-2014-0031

The 1 ListNetworkACL and 2 listNetworkACLLists APIs in Apache CloudStack before 4.2.1 allow remote authenticated users to list network ACLS for other users via a crafted request...

CVE-2013-6398

The virtual router in Apache CloudStack before 4.2.1 does not preserve the source restrictions in firewall rules after being restarted, which allows remote attackers to bypass intended restrictions via a request...

Cross site request forgery (csrf)

The 1 ListNetworkACL and 2 listNetworkACLLists APIs in Apache CloudStack before 4.2.1 allow remote authenticated users to list network ACLS for other users via a crafted request...

Cross site request forgery (csrf)

The virtual router in Apache CloudStack before 4.2.1 does not preserve the source restrictions in firewall rules after being restarted, which allows remote attackers to bypass intended restrictions via a request...

CVE-2014-0031

Apache CloudStack (vulnerable: before 4.2.1) exposes an information disclosure via the ListNetworkACL and listNetworkACLLists APIs. The issue, caused by how crafted requests allow remote authenticated users to list network ACLs for other users, can reveal ACLs not owned by the attacker. Impact is...

CVE-2013-6398

The virtual router in Apache CloudStack before 4.2.1 does not preserve the source restrictions in firewall rules after being restarted, which allows remote attackers to bypass intended restrictions via a request...

Apache CloudStack security vulnerabilities

Protection bypass, information leakage...

Updated [CVE-2013-6398] CloudStack Virtual Router stop/start modifies firewall rules allowing additional access

Issued: November 27, 2013 Updated: January 10, 2014 CVE-2013-6398 CloudStack Virtual Router stop/start modifies firewall rules allowing additional access Product: Apache CloudStack Vendor: Apache Software Foundation Vulnerability type: Bypass Vulnerable Versions: Apache CloudStack 4.1.0, 4.1.1,...

Updated [CVE-2013-2136] Apache CloudStack Cross-site scripting (XSS) vulnerabiliity

Issued: August 6, 2013 Updated: August 7, 2013 Product: Apache CloudStack Vendor: The Apache Software Foundation Vulnerability Types: Cross-site scripting XSS Vulnerable versions: Apache CloudStack versions 4.0.0-incubating, 4.0.1-incubating, 4.0.2 and 4.1.0 CVE References: CVE-2013-2136 Risk...

CVE-2013-2136

Multiple cross-site scripting XSS vulnerabilities in Apache CloudStack before 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the 1 Physical network name to the Zone wizard; 2 New network name, 3 instance name, or 4 group to the Instance wizard; 5 unspecified "multi-edit...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in Apache CloudStack before 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the 1 Physical network name to the Zone wizard; 2 New network name, 3 instance name, or 4 group to the Instance wizard; 5 unspecified "multi-edit...