13 matches found
CVE-2014-0057
CVE-2014-0057 affects Red Hat CloudForms Management Engine 5.2 (ServiceController, x_button method). The vulnerability allows remote attackers to invoke arbitrary methods via unsanitized input, enabling potential arbitrary code execution or other impact as described by CVE details (base score 7.5...
CVE-2014-3486
The CVE-2014-3486 entry affects Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2. A local attacker could exploit a symlink attack on a temporary file with a predictable name via two components: the shell_exec function in lib/util/MiqSshUtilV1.rb and the temp_cmd_file function in lib...
CVE-2013-6443
CVE-2013-6443 affects CloudForms 3.0 Management Engine prior to 5.2.1.6, where a GET request for a destructive action could bypass Rails protect_from_forgery and enable CSRF exploitation. The issue arises in the CloudForms web application where CSRF protections could be bypassed, allowing unautho...
CVE-2014-0180
CVE-2014-0180 affects Red Hat CloudForms 3.0 Management Engine (CFME) before version 5.2.4.2. The wait_for_task() function in app/controllers/application_controller.rb can, under certain conditions, enter an infinite loop, causing sustained CPU usage and a denial of service on the host running CF...
CVE-2014-0184
CVE-2014-0184 affects Red Hat CloudForms 3.0 CFME; the root password was logged to evm.log during VM deployment, enabling local users to read sensitive credentials. This is a local-privilege exposure stemming from a logging flaw. Impact per sources is sensitive information disclosure (root access...
CVE-2014-0176
CVE-2014-0176 is a cross-site scripting (XSS) flaw in CloudForms 3.0 Management Engine (CFME) prior to 5.2.4.2, affecting the application/panel_control component. The vulnerability allows remote attackers to inject arbitrary web script/HTML via unspecified vectors in CFME. The issue has been ackn...
CVE-2014-3489
CVE-2014-3489 affects Red Hat CloudForms 3.0 Management Engine (CFME); lib/util/miq-password.rb uses a hard-coded salt, enabling easier brute-force guessing of stored passwords by remote attackers. Documented impact: password guessing via brute force; exposure depends on access to stored credenti...
CVE-2014-7813
CVE-2014-7813 affects Red Hat CloudForms 3 Management Engine (CFME). The vulnerability allows remote authenticated users to cause a denial of service (resource consumption) through crafted usage involving Ruby on Rails .to_sym calls and lack of garbage collection for inserted symbols. CVSS metric...
CVE-2014-0137
CFME/CloudForms contains an SQL injection in the saved_report_delete action of the ReportController (MiqReportResult.exists) that can be exploited by an authenticated remote user. Affected versions: Red Hat CloudForms Management Engine prior to 5.2.3.2. Reported remediation: upgrade to 5.2.3.2 or...
CVE-2014-0140
Red Hat CloudForms Management Engine (CFME) prior to 5.3 is affected. An authenticated user could access sensitive controllers and actions via direct HTTP(S) requests, enabling possible privilege escalation. The issue is documented under CVE-2014-0140 and addressed in Red Hat’s RHSA-2014:1317; re...
CVE-2014-3642
CVE-2014-3642 affects Red Hat CloudForms 3.1 Management Engine (CFME) prior to 5.3. The vulnerability resides in vmdb/app/controllers/application_controller/performance.rb with an insecure send method, allowing remote authenticated users to gain privileges via unspecified vectors (privilege escal...
CVE-2014-0136
CVE-2014-0136 affects Red Hat CloudForms 3.0 Management Engine (CFME) 5.x, where the AgentController’s get and log methods allow remote attackers to insert arbitrary text into log files. The root cause is unsanitized user input written to log files from the AgentController, enabling arbitrary con...
CVE-2014-0078
The CVE affects Red Hat CloudForms Management Engine (CFME)