SUSE CVE-2017-7530

In CloudForms Management Engine cfme before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should n...

CVE-2018-10905

CloudForms Management Engine has a vulnerability that allows local users to execute arbitrary commands as root. An attacker with SSH access to the system can use the dRuby DRb module installed on the system to execute arbitrary shell commands using instanceeval. Mitigation Administrators of the...

CVE-2016-7047

A flaw was found in the CloudForms API before 5.6.3.0, 5.7.3.1 and 5.8.1.2. A user with permissions to use the MiqReportResults capability within the API could potentially view data from other tenants or groups to which they should not have access...

cfme: API leaks any MiqReportResult

A flaw was found in the CloudForms API. A user with permissions to use the MiqReportResults capability within the API could potentially view data from other tenants or groups to which they should not have access...

CVE-2016-1423

A vulnerability in the display of email messages in the Messages in Quarantine MIQ view in Cisco AsyncOS for Cisco Email Security Appliance ESA could allow an unauthenticated, remote attacker to cause a user to click a malicious link in the MIQ view. The malicious link could be used to facilitate...

CVE-2016-1423

The CVE-2016-1423 entry documents a vulnerability in Cisco AsyncOS for Cisco Email Security Appliance (ESA) affecting the Messages in Quarantine (MIQ) view. The issue arises from malformed HTML script tags in quarantined email messages, which could allow an unauthenticated remote attacker to caus...

CFME: Default salt value in miq-password.rb

lib/util/miq-password.rb in Red Hat CloudForms 3.0 Management Engine CFME before 5.2.4.2 uses a hard-coded salt, which makes it easier for remote attackers to guess passwords via a brute force attack...

PT-2014-3495 · Red Hat · Red Hat Cloudforms Management Engine

Name of the Vulnerable Software and Affected Versions: Red Hat CloudForms Management Engine CFME versions prior to 5.2.3.2 Description: The issue allows remote authenticated users to execute arbitrary SQL commands. This is related to the MiqReportResult.exists function in the ReportController...

PT-2014-2542 · Red Hat +1 · Red Hat Cloudforms +1

Name of the Vulnerable Software and Affected Versions: Red Hat CloudForms 2.0 Management Engine CFME versions 5.1 and earlier ManageIQ Enterprise Virtualization Manager versions 5.0 and earlier Description: The issue allows remote authenticated users to execute arbitrary SQL commands. This is...

2: miq_policy/explorer SQL injection

SQL injection vulnerability in the miqpolicy controller in Red Hat CloudForms 2.0 Management Engine CFME 5.1 and ManageIQ Enterprise Virtualization Manager 5.0 and earlier allows remote authenticated users to execute arbitrary SQL commands via the profile parameter in an explorer action...