CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2014-0136 – CFME: AgentController get/log application log forging
https://notcve.org/view.php?id=CVE-2014-0136
The (1) get and (2) log methods in the AgentController in Red Hat CloudForms 3.0 Management Engine (CFME) 5.x allow remote attackers to insert arbitrary text into log files via unspecified vectors. Los métodos (1) get y (2) log en AgentController en Red Hat CloudForms 3.0 Management Engine (CFME) 5.x permiten a atacantes remotos insertar texto arbitrario en ficheros del registro a través de vectores no especificados. It was found that the get and log methods of the AgentController wrote log messages without sanitizing user input. A remote attacker could use this flaw to insert arbitrary content into the log files written to by AgentController. • http://rhn.redhat.com/errata/RHSA-2014-1037.html http://www.securityfocus.com/bid/69233 https://access.redhat.com/security/cve/CVE-2014-0136 https://bugzilla.redhat.com/show_bug.cgi?id=1076669 • CWE-20: Improper Input Validation CWE-117: Improper Output Neutralization for Logs •
CVSS: 4.3EPSS: 0%CPEs: 7EXPL: 0CVE-2014-0176 – CFME: reflected XSS in several places due to missing JavaScript escaping
https://notcve.org/view.php?id=CVE-2014-0176
Cross-site scripting (XSS) vulnerability in application/panel_control in CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en application/panel_control en CloudForms 3.0 Management Engine (CFME) anterior a 5.2.4.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. • http://rhn.redhat.com/errata/RHSA-2014-0816.html https://access.redhat.com/security/cve/CVE-2014-0176 https://bugzilla.redhat.com/show_bug.cgi?id=1086463 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.9EPSS: 0%CPEs: 7EXPL: 0CVE-2014-3486 – CFME: SSH Utility insecure tmp file creation leading to code execution as root
https://notcve.org/view.php?id=CVE-2014-3486
The (1) shell_exec function in lib/util/MiqSshUtilV1.rb and (2) temp_cmd_file function in lib/util/MiqSshUtilV2.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allow local users to execute arbitrary commands via a symlink attack on a temporary file with a predictable name. (1) La función shell_exec en lib/util/MiqSshUtilV1.rb y (2) la función temp_cmd_file en lib/util/MiqSshUtilV2.rb en Red Hat CloudForms 3.0 Management Engine (CFME) anterior a 5.2.4.2 permiten a usuarios locales ejecutar comandos arbitrarios a través de un ataque de enlace simbólico sobre un fichero temporal con un nombre predecible. • http://rhn.redhat.com/errata/RHSA-2014-0816.html http://www.securityfocus.com/bid/68300 https://bugzilla.redhat.com/show_bug.cgi?id=1107528 https://access.redhat.com/security/cve/CVE-2014-3486 • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-377: Insecure Temporary File •
CVSS: 4.3EPSS: 0%CPEs: 7EXPL: 0CVE-2014-3489 – CFME: Default salt value in miq-password.rb
https://notcve.org/view.php?id=CVE-2014-3489
lib/util/miq-password.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 uses a hard-coded salt, which makes it easier for remote attackers to guess passwords via a brute force attack. lib/util/miq-password.rb en Red Hat CloudForms 3.0 Management Engine (CFME) anterior a 5.2.4.2 utiliza un salt embebido, lo que facilita a atacantes remotos adivinar contraseñas a través de un ataque de fuerza bruta. • http://rhn.redhat.com/errata/RHSA-2014-0816.html http://www.securityfocus.com/bid/68299 https://access.redhat.com/security/cve/CVE-2014-3489 https://bugzilla.redhat.com/show_bug.cgi?id=1107853 • CWE-255: Credentials Management Errors CWE-321: Use of Hard-coded Cryptographic Key •
CVSS: 4.9EPSS: 0%CPEs: 7EXPL: 0CVE-2014-0184 – CFME: root password is written to evm.log when entered during VM provisioning
https://notcve.org/view.php?id=CVE-2014-0184
Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 logs the root password when deploying a VM, which allows local users to obtain sensitive information by reading the evm.log file. Red Hat CloudForms 3.0 Management Engine (CFME) anterior a 5.2.4.2 registra la contraseña root cuando implementa un VM, lo que permite a usuarios locales obtener información sensible mediante la lectura del fichero evm.log. • http://rhn.redhat.com/errata/RHSA-2014-0816.html https://access.redhat.com/security/cve/CVE-2014-0184 https://bugzilla.redhat.com/show_bug.cgi?id=1089131 • CWE-255: Credentials Management Errors CWE-522: Insufficiently Protected Credentials •