CVE-2014-0136

The 1 get and 2 log methods in the AgentController in Red Hat CloudForms 3.0 Management Engine CFME 5.x allow remote attackers to insert arbitrary text into log files via unspecified vectors...

PT-2014-3494 · Red Hat · Red Hat Cloudforms

Name of the Vulnerable Software and Affected Versions: Red Hat CloudForms 3.0 Management Engine CFME version 5.x Description: The issue concerns the AgentController in Red Hat CloudForms 3.0 Management Engine CFME, where the get and log methods allow remote attackers to insert arbitrary text into...

CVE-2014-3642

vmdb/app/controllers/applicationcontroller/performance.rb in Red Hat CloudForms 3.1 Management Engine CFME before 5.3 allows remote authenticated users to gain privileges via unspecified vectors, related to an "insecure send method."...

CVE-2014-0140

Red Hat CloudForms 3.1 Management Engine CFME before 5.3 allows remote authenticated users to access sensitive controllers and actions via a direct HTTP or HTTPS request...

Design/Logic Flaw

vmdb/app/controllers/applicationcontroller/performance.rb in Red Hat CloudForms 3.1 Management Engine CFME before 5.3 allows remote authenticated users to gain privileges via unspecified vectors, related to an "insecure send method."...

CVE-2014-0140

Red Hat CloudForms 3.1 Management Engine CFME before 5.3 allows remote authenticated users to access sensitive controllers and actions via a direct HTTP or HTTPS request...

CVE-2014-0140

Red Hat CloudForms Management Engine (CFME) prior to 5.3 is affected. An authenticated user could access sensitive controllers and actions via direct HTTP(S) requests, enabling possible privilege escalation. The issue is documented under CVE-2014-0140 and addressed in Red Hat’s RHSA-2014:1317; re...

CVE-2014-3642

vmdb/app/controllers/applicationcontroller/performance.rb in Red Hat CloudForms 3.1 Management Engine CFME before 5.3 allows remote authenticated users to gain privileges via unspecified vectors, related to an "insecure send method."...

CVE-2014-3642

CVE-2014-3642 affects Red Hat CloudForms 3.1 Management Engine (CFME) prior to 5.3. The vulnerability resides in vmdb/app/controllers/application_controller/performance.rb with an insecure send method, allowing remote authenticated users to gain privileges via unspecified vectors (privilege escal...

PT-2014-3496 · Red Hat · Red Hat Cloudforms

Name of the Vulnerable Software and Affected Versions: Red Hat CloudForms versions prior to 5.3 Description: The issue allows remote authenticated users to access sensitive controllers and actions via a direct HTTP or HTTPS request. Recommendations: For versions prior to 5.3, update to version 5....

PT-2014-5433 · Red Hat · Red Hat Cloudforms

Name of the Vulnerable Software and Affected Versions: Red Hat CloudForms versions prior to 5.3 Description: The issue allows remote authenticated users to gain privileges via unspecified vectors, related to an "insecure send method" in the vmdb/app/controllers/application controller/performance....

CFME: dangerous send method in performance.rb

It was found that Red Hat CloudForms contained an insecure send method that accepted user-supplied arguments. An authenticated user could use this flaw to modify the program flow in a way that could result in privilege escalation...

Moderate: Red Hat Security Advisory: cfme security, bug fix, and enhancement update

Updated cfme packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat CloudForms 3.1. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System CVSS base scores, which give detailed...

CFME: default routes expose controllers and actions

It was found that Red Hat CloudForms exposed default routes that were reachable via HTTPS requests. An authenticated user could use this flaw to access potentially sensitive controllers and actions that would allow for privilege escalation...

Moderate: Red Hat Security Advisory: cfme security and bug fix update

Updated cfme packages that fix one security issue and several bugs are now available for Red Hat CloudForms 3.0. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

CVE-2014-3486

The 1 shellexec function in lib/util/MiqSshUtilV1.rb and 2 tempcmdfile function in lib/util/MiqSshUtilV2.rb in Red Hat CloudForms 3.0 Management Engine CFME before 5.2.4.2 allow local users to execute arbitrary commands via a symlink attack on a temporary file with a predictable name...

CVE-2014-3489

lib/util/miq-password.rb in Red Hat CloudForms 3.0 Management Engine CFME before 5.2.4.2 uses a hard-coded salt, which makes it easier for remote attackers to guess passwords via a brute force attack...

CVE-2014-0176

Cross-site scripting XSS vulnerability in application/panelcontrol in CloudForms 3.0 Management Engine CFME before 5.2.4.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...

CVE-2014-0184

Red Hat CloudForms 3.0 Management Engine CFME before 5.2.4.2 logs the root password when deploying a VM, which allows local users to obtain sensitive information by reading the evm.log file...

CVE-2014-0180

The waitfortask function in app/controllers/applicationcontroller.rb in Red Hat CloudForms 3.0 Management Engine CFME before 5.2.4.2 allows remote attackers to cause a denial of service infinite loop and CPU consumption via unspecified vectors...