10 matches found
CVE-2025-22828
CVE-2025-22828 affects Apache CloudStack 4.16.0 and later. An access validation issue lets users with access or prior knowledge of resource UUIDs list or add comments (annotations) on resources they are authorized to access, potentially reading or injecting comments that could disclose privileged...
CVE-2024-42222
CVE-2024-42222 affects Apache CloudStack 4.19.1.0, where a regression in the network listing API allows unauthorised listing of network details for domain admins and normal users, compromising tenant isolation and potentially exposing network configurations and data. The issue has been fixed in C...
CVE-2025-30675
CVE-2025-30675 in Apache CloudStack affects the listTemplates and listIsos APIs due to a flawed access-control check when domainid is specified with filters self or selfexecutable. The issue allows a Domain Admin or Resource Admin to enumerate templates/ISOs in unrelated domains, breaching isolat...
CVE-2013-2136
Apache CloudStack UI contains multiple cross-site scripting (XSS) vulnerabilities in versions up to 4.1.0, allowing authenticated/remote attackers to inject arbitrary script or HTML via fields in Zone, Network, Instance, global settings, and other UI inputs. The issue is fixed by upgrading to Clo...
CVE-2014-0031
Apache CloudStack (vulnerable: before 4.2.1) exposes an information disclosure via the ListNetworkACL and listNetworkACLLists APIs. The issue, caused by how crafted requests allow remote authenticated users to list network ACLs for other users, can reveal ACLs not owned by the attacker. Impact is...
CVE-2013-4317
CVE-2013-4317 describes an information-disclosure vulnerability in Apache CloudStack versions 4.1.0 and 4.1.1 . When a regular, non-administrative user calls the CloudStack API operation listProjectAccounts , the user can view information for accounts other than their own. The connected Red Hat a...
CVE-2025-22829
Affected software: Apache CloudStack with the Quota plugin (version 4.20.0.0). Issue: Improper privilege management logic lets an authenticated user with access to specific APIs enable/disable quota‑related emails and list quota configurations for any account in environments where the plugin is e...
CVE-2015-3251
CVE-2015-3251 : In Apache CloudStack, versions before 4.5.2 allow remote authenticated administrators to obtain sensitive password information for root accounts of virtual machines via unspecified API-call vectors. The vulnerability is an information disclosure issue tied to the API surface used ...
CVE-2025-59302
CVE-2025-59302 concerns Apache CloudStack where code injection is possible via admin-only APIs: quotaTariffCreate, quotaTariffUpdate, createSecondaryStorageSelector, updateSecondaryStorageSelector, updateHost, and updateStorage. The issue arises from improper control of code generation. A fix fla...
CVE-2025-59454
In Apache CloudStack, a gap in access control checks allowed an authenticated user to access information beyond their intended scope via several APIs. Affected endpoints include createNetworkACL, listNetworkACLs, listResourceDetails, listVirtualMachinesUsageHistory, and listVolumesUsageHistory. T...