Cloudstack Security Vulnerabilities and Issues — Cloudstack CVE List

Lucene search

ApacheCloudstack

8 matches found

CVE•added 2025/01/13 1:16 p.m.•78 views

CVE-2025-22828

CloudStack users can add and read comments (annotations) on resources they are authorised to access. Due to an access validation issue that affects Apache CloudStack versions from 4.16.0, users who have access, prior access or knowledge of resource UUIDs can list and add comments (annotations) to s...

4.3CVSS6.3AI score0.11896EPSS

CVE•added 2024/08/07 8:16 a.m.•59 views

CVE-2024-42222

In Apache CloudStack 4.19.1.0, a regression in the network listing API allows unauthorised list access of network details for domain admin and normal user accounts. This vulnerability compromises tenant isolation, potentially leading to unauthorised access to network details, configurations and dat...

4.3CVSS7AI score0.00794EPSS

CVE•added 2013/08/19 11:55 p.m.•40 views

CVE-2013-2136

Multiple cross-site scripting (XSS) vulnerabilities in Apache CloudStack before 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) Physical network name to the Zone wizard; (2) New network name, (3) instance name, or (4) group to the Instance wizard; (5) unspecified "mu...

4.3CVSS5.8AI score0.06724EPSS

CVE•added 2025/06/11 12:15 a.m.•40 views

CVE-2025-30675

In Apache CloudStack, a flaw in access control affects the listTemplates and listIsos APIs. A malicious Domain Admin or Resource Admin can exploit this issue by intentionally specifying the 'domainid' parameter along with the 'filter=self' or 'filter=selfexecutable' values. This allows the attacker...

4.7CVSS4.8AI score0.0007EPSS

CVE•added 2014/01/15 4:8 p.m.•38 views

CVE-2014-0031

The (1) ListNetworkACL and (2) listNetworkACLLists APIs in Apache CloudStack before 4.2.1 allow remote authenticated users to list network ACLS for other users via a crafted request.

4CVSS6.4AI score0.00323EPSS

CVE•added 2018/02/06 2:29 p.m.•37 views

CVE-2013-4317

In Apache CloudStack 4.1.0 and 4.1.1, when calling the CloudStack API call listProjectAccounts as a regular, non-administrative user, the user is able to see information for accounts other than their own.

4.3CVSS4.5AI score0.00459EPSS

CVE•added 2016/02/08 7:59 p.m.•34 views

CVE-2015-3251

Apache CloudStack before 4.5.2 might allow remote authenticated administrators to obtain sensitive password information for root accounts of virtual machines via unspecified vectors related to API calls.

4.9CVSS4.7AI score0.00179EPSS

CVE•added 2025/06/10 11:15 p.m.•31 views

CVE-2025-22829

The CloudStack Quota plugin has an improper privilege management logic in version 4.20.0.0. Anyone with authenticated user-account access in CloudStack 4.20.0.0 environments, where this plugin is enabled and have access to specific APIs can enable or disable reception of quota-related emails for an...

4.3CVSS6.5AI score0.00118EPSS