cfme is vulnerable to privilege escalation attacks. The vulnerability exists as it was found that the CloudForms before 5.6.2.2, and 5.7.0.7 did not properly apply permissions controls to VM IDs passed by users. A remote, authenticated attacker could use this flaw to execute arbitrary VMs on systems managed by CloudForms if they know the ID of the VM.
rhn.redhat.com/errata/RHSA-2016-2091.html
access.redhat.com/security/updates/classification/#important
bugzilla.redhat.com/show_bug.cgi?id=1385887
bugzilla.redhat.com/show_bug.cgi?id=1385898
bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7071
rhn.redhat.com/errata/RHSA-2016-1996.html
rhn.redhat.com/errata/RHSA-2016-2091.html