Search
Total
16 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-16892 | 3 Fedoraproject, Redhat, Rubyzip Project | 3 Fedora, Cloudforms, Rubyzip | 2023-12-28 | 7.1 HIGH | 5.5 MEDIUM |
| In Rubyzip before 1.3.0, a crafted ZIP file can bypass application checks on ZIP entry sizes because data about the uncompressed size can be spoofed. This allows attackers to cause a denial of service (disk consumption). | |||||
| CVE-2019-11358 | 10 Backdropcms, Debian, Drupal and 7 more | 102 Backdrop, Debian Linux, Drupal and 99 more | 2022-02-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. | |||||
| CVE-2019-10159 | 1 Redhat | 2 Cfme-gemset, Cloudforms | 2021-11-02 | 4.0 MEDIUM | 4.3 MEDIUM |
| cfme-gemset versions 5.10.4.3 and below, 5.9.9.3 and below are vulnerable to a data leak, due to an improper authorization in the migration log controller. An attacker with access to an unprivileged user can access all VM migration logs available. | |||||
| CVE-2018-10855 | 3 Canonical, Debian, Redhat | 6 Ubuntu Linux, Debian Linux, Ansible Engine and 3 more | 2021-08-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible. | |||||
| CVE-2020-10778 | 1 Redhat | 1 Cloudforms | 2021-07-21 | 6.5 MEDIUM | 6.0 MEDIUM |
| In Red Hat CloudForms 4.7 and 5, the read only widgets can be edited by inspecting the forms and dropping the disabled attribute from the fields since there is no server-side validation. This business logic flaw violate the expected behavior. | |||||
| CVE-2020-10779 | 1 Redhat | 1 Cloudforms | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Red Hat CloudForms 4.7 and 5 leads to insecure direct object references (IDOR) and functional level access control bypass due to missing privilege check. Therefore, if an attacker knows the right criteria, it is possible to access some sensitive data within the CloudForms. | |||||
| CVE-2020-14369 | 1 Redhat | 1 Cloudforms | 2020-12-04 | 6.8 MEDIUM | 6.3 MEDIUM |
| This release fixes a Cross Site Request Forgery vulnerability was found in Red Hat CloudForms which forces end users to execute unwanted actions on a web application in which the user is currently authenticated. An attacker can make a forgery HTTP request to the server by crafting custom flash file which can force the user to perform state changing requests like provisioning VMs, running ansible playbooks and so forth. | |||||
| CVE-2020-10777 | 1 Redhat | 1 Cloudforms | 2020-08-12 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting flaw was found in Report Menu feature of Red Hat CloudForms 4.7 and 5. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms. | |||||
| CVE-2013-4423 | 1 Redhat | 1 Cloudforms | 2019-11-06 | 2.1 LOW | 5.5 MEDIUM |
| CloudForms stores user passwords in recoverable format | |||||
| CVE-2013-0186 | 1 Redhat | 2 Cloudforms, Manageiq Enterprise Virtualization Manager | 2019-11-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in ManageIQ EVM allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2017-2664 | 1 Redhat | 2 Cloudforms, Cloudforms Management Engine | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1 lacks RBAC controls on certain methods in the rails application portion of CloudForms. An attacker with access could use a variety of methods within the rails application portion of CloudForms to escalate privileges. | |||||
| CVE-2017-2653 | 1 Redhat | 2 Cloudforms, Cloudforms Management Engine | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| A number of unused delete routes are present in CloudForms before 5.7.2.1 which can be accessed via GET requests instead of just POST requests. This could allow an attacker to bypass the protect_from_forgery XSRF protection causing the routes to be used. This attack would require additional cross-site scripting or similar attacks in order to execute. | |||||
| CVE-2017-2632 | 1 Redhat | 2 Cloudforms, Cloudforms Management Engine | 2019-10-09 | 4.0 MEDIUM | 4.9 MEDIUM |
| A logic error in valid_role() in CloudForms role validation before 5.7.1.3 could allow a tenant administrator to create groups with a higher privilege level than the tenant administrator should have. This would allow an attacker with tenant administration access to elevate privileges. | |||||
| CVE-2016-7047 | 1 Redhat | 2 Cloudforms, Cloudforms Management Engine | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| A flaw was found in the CloudForms API before 5.6.3.0, 5.7.3.1 and 5.8.1.2. A user with permissions to use the MiqReportResults capability within the API could potentially view data from other tenants or groups to which they should not have access. | |||||
| CVE-2018-11627 | 2 Redhat, Sinatrarb | 2 Cloudforms, Sinatra | 2019-02-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception. | |||||
| CVE-2015-7502 | 1 Redhat | 2 Cloudforms, Cloudforms Management Engine | 2016-04-18 | 1.9 LOW | 5.1 MEDIUM |
| Red Hat CloudForms 3.2 Management Engine (CFME) 5.4.4 and CloudForms 4.0 Management Engine (CFME) 5.5.0 do not properly encrypt data in the backend PostgreSQL database, which might allow local users to obtain sensitive data and consequently gain privileges by leveraging access to (1) database exports or (2) log files. | |||||