PT-2019-6951 · Red Hat · Cloudforms

Name of the Vulnerable Software and Affected Versions: CloudForms affected versions not specified Description: The issue concerns the storage of user passwords in a recoverable format, which poses a security risk. Recommendations: At the moment, there is no information about a newer version that...

CVE-2018-10854

cloudforms version, cloudforms 5.8 and cloudforms 5.9, is vulnerable to a cross-site-scripting. A flaw was found in CloudForms's v2v infrastructure mapping delete feature. A stored cross-site scripting due to improper sanitization of user input in Name field...

CVE-2019-10177

It was found that PDF export component in CloudForms was vulnerable to cross-side scripting XSS as user input was not properly sanitized. An authenticated attacker with privileges to edit compute could use the XSS vulnerability against users, which could lead to arbitrary code execution, and...

CVE-2018-10905

CloudForms Management Engine has a vulnerability that allows local users to execute arbitrary commands as root. An attacker with SSH access to the system can use the dRuby DRb module installed on the system to execute arbitrary shell commands using instanceeval. Mitigation Administrators of the...

CVE-2017-2664

CloudForms lacks RBAC controls on certain methods in the rails application portion of CloudForms. An attacker with access could use a variety of methods within the rails applications portion of CloudForms to escalate privileges...

CVE-2016-7047

A flaw was found in the CloudForms API. A user with permissions to use the MiqReportResults capability within the API could potentially view data from other tenants or groups to which they should not have access...

CVE-2018-1053

This release of CloudForms corrects an issue invoked when running pgupgrade by which attackers could read or modify the output of pgdumpall -g in the current working directory. With this release, any attack is rendered infeasible as the directory mode blocks an intruder from searching the current...

CVE-2017-2639

It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a custom CA and communicating with Red Hat Virtualization RHEV and OpenShift. This would allow an attacker to spoof RHEV or OpenShift systems and potentially harvest sensiti...

CVE-2018-16476

A deserialization flaw, leading to an information exposure flaw, was found in the activejob component used by Red Hat CloudForms and Red Hat Satellite. An attacker can use this flaw to leak memory addresses belonging to the aforementioned applications...

Cross-Site Scripting (XSS)

cloudforms is vulnerable to cross-site scripting XSS. A remote attacker is able to inject arbitrary Javascript into a victim's browser via the Name field...

Moderate: Red Hat Security Advisory: CloudForms 4.7.9 security, bug fix and enhancement update

An update is now available for CloudForms Management Engine 5.10. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE...

cloudforms: stored cross-site scripting in Name field

cloudforms version, cloudforms 5.8 and cloudforms 5.9, is vulnerable to a cross-site-scripting. A flaw was found in CloudForms's v2v infrastructure mapping delete feature. A stored cross-site scripting due to improper sanitization of user input in Name field...

Moderate: Red Hat Security Advisory: CloudForms 4.7.8 security, bug fix and enhancement update

An update is now available for CloudForms Management Engine 5.10. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE...

RHEL 7 : CloudForms 4.7.3 (RHSA-2019:0796)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:0796 advisory. Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual...

Low: Red Hat Security Advisory: CloudForms 4.7.7 security, bug fix and enhancement update

An update is now available for CloudForms Management Engine 5.10. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link...

Red Hat CloudForms Cross-Site Scripting Vulnerability

Red Hat CloudForms is a hybrid infrastructure management platform from Red Hat, Inc. The platform provides deployment, management, and other capabilities across virtual machines, clouds, containers, and physical infrastructure. A cross-site scripting vulnerability exists in the PDF export module ...

CVE-2019-10177

A stored cross-site scripting XSS vulnerability was found in the PDF export component of CloudForms, versions 5.9 and 5.10, due to user input is not properly sanitized. An attacker with least privilege to edit compute is able to execute a XSS attack against other users, which could lead to...

CVE-2019-10177

A stored cross-site scripting XSS vulnerability was found in the PDF export component of CloudForms, versions 5.9 and 5.10, due to user input is not properly sanitized. An attacker with least privilege to edit compute is able to execute a XSS attack against other users, which could lead to...

Cross site scripting

A stored cross-site scripting XSS vulnerability was found in the PDF export component of CloudForms, versions 5.9 and 5.10, due to user input is not properly sanitized. An attacker with least privilege to edit compute is able to execute a XSS attack against other users, which could lead to...

CVE-2019-10177

CloudForms (Red Hat) PDF export module in versions 5.9 and 5.10 is affected by a stored XSS due to unsanitized user input. An attacker with privileges to edit compute can trigger XSS against other users, potentially leading to arbitrary code execution and theft of the higher-privileged user’s ant...