CVE-2020-10778

In Red Hat CloudForms 4.7 and 5, the read only widgets can be edited by inspecting the forms and dropping the disabled attribute from the fields since there is no server-side validation. This business logic flaw violate the expected behavior...

CVE-2020-14325

Red Hat CloudForms before 5.11.7.0 was vulnerable to the User Impersonation authorization flaw which allows malicious attacker to create existent and non-existent role-based access control user, with groups and roles. With a selected group of EvmGroup-superadministrator, an attacker can perform a...

CVE-2020-10783

Red Hat CloudForms 4.7 and 5 is affected by a role-based privilege escalation flaw. An attacker with EVM-Operator group can perform actions restricted only to EVM-Super-administrator group, leads to, exporting or importing administrator files...

CVE-2020-14325

Red Hat CloudForms before 5.11.7.0 was vulnerable to the User Impersonation authorization flaw which allows malicious attacker to create existent and non-existent role-based access control user, with groups and roles. With a selected group of EvmGroup-superadministrator, an attacker can perform a...

CVE-2020-10779

Red Hat CloudForms 4.7 and 5 leads to insecure direct object references IDOR and functional level access control bypass due to missing privilege check. Therefore, if an attacker knows the right criteria, it is possible to access some sensitive data within the CloudForms...

CVE-2020-10779

Red Hat CloudForms 4.7 and 5 leads to insecure direct object references IDOR and functional level access control bypass due to missing privilege check. Therefore, if an attacker knows the right criteria, it is possible to access some sensitive data within the CloudForms...

CVE-2020-10777

A cross-site scripting flaw was found in Report Menu feature of Red Hat CloudForms 4.7 and 5. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms...

CVE-2020-10777

A cross-site scripting flaw was found in Report Menu feature of Red Hat CloudForms 4.7 and 5. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms...

Cross site scripting

A cross-site scripting flaw was found in Report Menu feature of Red Hat CloudForms 4.7 and 5. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms...

Privilege escalation

Red Hat CloudForms 4.7 and 5 is affected by a role-based privilege escalation flaw. An attacker with EVM-Operator group can perform actions restricted only to EVM-Super-administrator group, leads to, exporting or importing administrator files...

Design/Logic Flaw

Red Hat CloudForms 4.7 and 5 leads to insecure direct object references IDOR and functional level access control bypass due to missing privilege check. Therefore, if an attacker knows the right criteria, it is possible to access some sensitive data within the CloudForms...

Authorization

Red Hat CloudForms before 5.11.7.0 was vulnerable to the User Impersonation authorization flaw which allows malicious attacker to create existent and non-existent role-based access control user, with groups and roles. With a selected group of EvmGroup-superadministrator, an attacker can perform a...

Input validation

In Red Hat CloudForms 4.7 and 5, the read only widgets can be edited by inspecting the forms and dropping the disabled attribute from the fields since there is no server-side validation. This business logic flaw violate the expected behavior...

CVE-2020-14296

Red Hat CloudForms 4.7 and 5 was vulnerable to Server-Side Request Forgery SSRF flaw. With the access to add Ansible Tower provider, an attacker could scan and attack systems from the internal network which are not normally accessible...

CVE-2020-14296

CVE-2020-14296 affects Red Hat CloudForms 4.7 and 5 with a Server-Side Request Forgery (SSRF) flaw exposed when adding an Ansible Tower provider. The issue allows an attacker to issue crafted requests from the vulnerable CloudForms server to scan or attack internal systems not normally accessible...

CVE-2020-14325

Red Hat CloudForms before 5.11.7.0 was vulnerable to the User Impersonation authorization flaw which allows malicious attacker to create existent and non-existent role-based access control user, with groups and roles. With a selected group of EvmGroup-superadministrator, an attacker can perform a...

CVE-2020-14325

CVE-2020-14325 describes a vulnerability in Red Hat CloudForms prior to 5.11.7.0 where a User Impersonation/authorization flaw could let an attacker create or use an RBAC user (with groups/roles such as EvmGroup-super_administrator) and perform API requests as a super administrator. The related R...

CVE-2020-10779

Red Hat CloudForms 4.7 and 5 leads to insecure direct object references IDOR and functional level access control bypass due to missing privilege check. Therefore, if an attacker knows the right criteria, it is possible to access some sensitive data within the CloudForms...

CVE-2020-10779

CVE-2020-10779 affects Red Hat CloudForms 4.7 and 5, where an insecure direct object reference (IDOR) and functional level access control bypass occur due to a missing privilege check. The issue enables an attacker with sufficient criteria and low privileges to access some sensitive data within C...

CVE-2020-10783

Red Hat CloudForms 4.7 and 5 is affected by a role-based privilege escalation flaw. An attacker with EVM-Operator group can perform actions restricted only to EVM-Super-administrator group, leads to, exporting or importing administrator files...