Cloudforms 3.0 Management Engine@5.2 Security Vulnerabilities and Issues — Cloudforms 3.0 Management Engine@5.2 CVE List

Lucene search

RedhatCloudforms 3.0 Management Engine5.2

11 matches found

CVE•added 2014/03/18 5:2 p.m.•61 views

CVE-2014-0057

The x_button method in the ServiceController (vmdb/app/controllers/service_controller.rb) in Red Hat CloudForms 3.0 Management Engine 5.2 allows remote attackers to execute arbitrary methods via unspecified vectors.

7.5CVSS6.6AI score0.00703EPSS

CVE•added 2014/01/23 1:55 a.m.•53 views

CVE-2013-6443

CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request.

6.8CVSS7AI score0.00095EPSS

CVE•added 2014/07/07 2:55 p.m.•50 views

CVE-2014-3486

The (1) shell_exec function in lib/util/MiqSshUtilV1.rb and (2) temp_cmd_file function in lib/util/MiqSshUtilV2.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allow local users to execute arbitrary commands via a symlink attack on a temporary file with a predictable name.

6.9CVSS7.2AI score0.00176EPSS

CVE•added 2014/07/07 2:55 p.m.•47 views

CVE-2014-0180

The wait_for_task function in app/controllers/application_controller.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via unspecified vectors.

5CVSS6.6AI score0.00727EPSS

CVE•added 2014/07/07 2:55 p.m.•45 views

CVE-2014-3489

lib/util/miq-password.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 uses a hard-coded salt, which makes it easier for remote attackers to guess passwords via a brute force attack.

4.3CVSS6.5AI score0.00403EPSS

CVE•added 2014/07/07 2:55 p.m.•44 views

CVE-2014-0184

Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 logs the root password when deploying a VM, which allows local users to obtain sensitive information by reading the evm.log file.

4.9CVSS5.8AI score0.00131EPSS

CVE•added 2014/05/14 7:55 p.m.•42 views

CVE-2014-0137

SQL injection vulnerability in the saved_report_delete action in the ReportController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to MiqReportResult.exists.

6.5CVSS8.2AI score0.0039EPSS

CVE•added 2014/10/06 2:55 p.m.•40 views

CVE-2014-0140

Red Hat CloudForms 3.1 Management Engine (CFME) before 5.3 allows remote authenticated users to access sensitive controllers and actions via a direct HTTP or HTTPS request.

4CVSS6.4AI score0.00171EPSS

CVE•added 2014/07/07 2:55 p.m.•39 views

CVE-2014-0176

Cross-site scripting (XSS) vulnerability in application/panel_control in CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3CVSS5.7AI score0.00318EPSS

CVE•added 2014/10/06 2:55 p.m.•36 views

CVE-2014-3642

vmdb/app/controllers/application_controller/performance.rb in Red Hat CloudForms 3.1 Management Engine (CFME) before 5.3 allows remote authenticated users to gain privileges via unspecified vectors, related to an "insecure send method."

6.5CVSS6.7AI score0.00391EPSS

CVE•added 2014/05/14 7:55 p.m.•33 views

CVE-2014-0078

The CatalogController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to delete arbitrary catalogs via vectors involving guessing the catalog ID.

4CVSS6.5AI score0.00619EPSS