CVE-2014-0176

Cross-site scripting XSS vulnerability in application/panelcontrol in CloudForms 3.0 Management Engine CFME before 5.2.4.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...

Design/Logic Flaw

The 1 shellexec function in lib/util/MiqSshUtilV1.rb and 2 tempcmdfile function in lib/util/MiqSshUtilV2.rb in Red Hat CloudForms 3.0 Management Engine CFME before 5.2.4.2 allow local users to execute arbitrary commands via a symlink attack on a temporary file with a predictable name...

CVE-2014-0176

Cross-site scripting XSS vulnerability in application/panelcontrol in CloudForms 3.0 Management Engine CFME before 5.2.4.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...

CVE-2014-3486

The CVE-2014-3486 entry affects Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2. A local attacker could exploit a symlink attack on a temporary file with a predictable name via two components: the shell_exec function in lib/util/MiqSshUtilV1.rb and the temp_cmd_file function in lib...

CVE-2014-0057

The xbutton method in the ServiceController vmdb/app/controllers/servicecontroller.rb in Red Hat CloudForms 3.0 Management Engine 5.2 allows remote attackers to execute arbitrary methods via unspecified vectors...

Cross site request forgery (csrf)

CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protectfromforgery mechanism and conduct cross-site request forgery CSRF attacks via a destructive action in a request...