CVE-2019-10177

A stored cross-site scripting XSS vulnerability was found in the PDF export component of CloudForms, versions 5.9 and 5.10, due to user input is not properly sanitized. An attacker with least privilege to edit compute is able to execute a XSS attack against other users, which could lead to...

Red Hat CloudForms Access Control Error Vulnerability

Red Hat CloudForms is a hybrid infrastructure management platform from Red Hat, Inc. The platform provides deployment, management, and other capabilities across virtual machines, clouds, containers, and physical infrastructure. An access control error vulnerability exists in Red Hat CloudForms...

CVE-2017-15123

A flaw was found in the CloudForms web interface, versions 5.8 - 5.10, where the RSS feed URLs are not properly restricted to authenticated users only. An attacker could use this flaw to view potentially sensitive information from CloudForms including data such as newly created virtual machines...

Design/Logic Flaw

A flaw was found in the CloudForms web interface, versions 5.8 - 5.10, where the RSS feed URLs are not properly restricted to authenticated users only. An attacker could use this flaw to view potentially sensitive information from CloudForms including data such as newly created virtual machines...

CVE-2017-15123

A flaw was found in the CloudForms web interface, versions 5.8 - 5.10, where the RSS feed URLs are not properly restricted to authenticated users only. An attacker could use this flaw to view potentially sensitive information from CloudForms including data such as newly created virtual machines...

CVE-2017-15123

A flaw was found in the CloudForms web interface, versions 5.8 - 5.10, where the RSS feed URLs are not properly restricted to authenticated users only. An attacker could use this flaw to view potentially sensitive information from CloudForms including data such as newly created virtual machines...

CVE-2017-15123

CVE-2017-15123 affects Red Hat CloudForms web interface versions 5.8–5.10, where RSS feed URLs are not properly access-restricted to authenticated users, enabling disclosure of potentially sensitive data (e.g., newly created virtual machines). The entry is supported by NVD (CVSS v2 base 5.0, CVSS...

Important: Red Hat Security Advisory: CloudForms 4.7.5 security, bug fix and enhancement update

An update is now available for CloudForms Management Engine 5.10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CV...

CVE-2017-15123

A flaw was found in the CloudForms web interface where the RSS feed URLs are not properly restricted to authenticated users only. An attacker could use this flaw to view potentially sensitive information from CloudForms including data such as newly created virtual machines...

Important: Red Hat Security Advisory: CloudForms 4.6.9 security, bug fix and enhancement update

An update is now available for CloudForms Management Engine 5.9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE...

Denial Of Service (DoS)

CloudForms Management Engine cfme is vulnerable to denial of serviceDoS attacks. An attacker is able to execute arbitrary methods via filtering on VMs that MiqExpression will execute, triggerable by API users. An attacker could use this flaw to crash the application...

Remote Code Execution

Red Hat CloudForms is vulnerable to remote code execution. This is because the dialog for creating cloud volumes cinder provider in CloudForms does not filter cloud tenants by user. An attacker with the ability to create storage volumes could use this to create storage volumes for any other tenan...

Certificate Validation Bypass

CloudForms is vulnerable to certificate validation bypass. This is because CloudForms does not verify that the server hostname matches the domain name in the certificate when using a custom CA and communicating with Red Hat Virtualization RHEV and OpenShift. An attacker could potentially harvest...

Credential Disclosure Through A Brute Force Attack

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller MVC framework for web application development. Action Pack implemen...

Arbitrary Code Execution

Red Hat CloudForms Management Engine delivers the insight, control, and automation enterprises need to address the challenges of managing virtual environments, which are far more complex than physical ones. This technology enables enterprises with existing virtual infrastructures to improve...

Privilege Escalation

Red Hat CloudForms is an on-premise hybrid cloud Infrastructure-as-a-Service IaaS product that lets you create and manage private and public clouds. This update fixes bugs in and adds enhancements to the System Engine packages, and upgrades the system to CloudForms 1.1. This update also fixes the...

Information Disclosure

Red Hat CloudForms is an on-premise hybrid cloud Infrastructure-as-a-Service IaaS product that lets you create and manage private and public clouds. This update fixes bugs in and adds enhancements to the System Engine packages, and upgrades the system to CloudForms 1.1. This update also fixes the...

Information Disclosure

Red Hat CloudForms is an on-premise hybrid cloud Infrastructure-as-a-Service IaaS product that lets you create and manage private and public clouds. This update fixes bugs in and adds enhancements to the System Engine packages, and upgrades the system to CloudForms 1.1. This update also fixes the...

Important: Red Hat Security Advisory: CloudForms 4.7.3 security, bug fix and enhancement update

An update is now available for CloudForms Management Engine 5.10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CV...

activejob: Information Exposure through deserialization using GlobalId

A deserialization flaw, leading to an information exposure flaw, was found in the activejob component used by Red Hat CloudForms and Red Hat Satellite. An attacker can use this flaw to leak memory addresses belonging to the aforementioned applications...