Cloudera HUE =< 3.9.0 is vulnerable to an access control issue allowing an unprivileged user to enumerate registered users with the following GET request:
http://<cloudera_HUE_IP>/desktop/api/users/autocomplete
Open redirection
Cloudera HUE =< 3.9.0 is vulnerable to an open redirection in the hidden next parameter of the login form:
http://<cloudera_HUE_IP>:8888/accounts/login/?next=//google.fr