CVSS: 4.3EPSS: 0%CPEs: 7EXPL: 0CVE-2014-0176 – CFME: reflected XSS in several places due to missing JavaScript escaping
https://notcve.org/view.php?id=CVE-2014-0176
Cross-site scripting (XSS) vulnerability in application/panel_control in CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en application/panel_control en CloudForms 3.0 Management Engine (CFME) anterior a 5.2.4.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. • http://rhn.redhat.com/errata/RHSA-2014-0816.html https://access.redhat.com/security/cve/CVE-2014-0176 https://bugzilla.redhat.com/show_bug.cgi?id=1086463 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.9EPSS: 0%CPEs: 7EXPL: 0CVE-2014-3486 – CFME: SSH Utility insecure tmp file creation leading to code execution as root
https://notcve.org/view.php?id=CVE-2014-3486
The (1) shell_exec function in lib/util/MiqSshUtilV1.rb and (2) temp_cmd_file function in lib/util/MiqSshUtilV2.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allow local users to execute arbitrary commands via a symlink attack on a temporary file with a predictable name. (1) La función shell_exec en lib/util/MiqSshUtilV1.rb y (2) la función temp_cmd_file en lib/util/MiqSshUtilV2.rb en Red Hat CloudForms 3.0 Management Engine (CFME) anterior a 5.2.4.2 permiten a usuarios locales ejecutar comandos arbitrarios a través de un ataque de enlace simbólico sobre un fichero temporal con un nombre predecible. • http://rhn.redhat.com/errata/RHSA-2014-0816.html http://www.securityfocus.com/bid/68300 https://bugzilla.redhat.com/show_bug.cgi?id=1107528 https://access.redhat.com/security/cve/CVE-2014-3486 • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-377: Insecure Temporary File •
CVSS: 4.3EPSS: 0%CPEs: 7EXPL: 0CVE-2014-3489 – CFME: Default salt value in miq-password.rb
https://notcve.org/view.php?id=CVE-2014-3489
lib/util/miq-password.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 uses a hard-coded salt, which makes it easier for remote attackers to guess passwords via a brute force attack. lib/util/miq-password.rb en Red Hat CloudForms 3.0 Management Engine (CFME) anterior a 5.2.4.2 utiliza un salt embebido, lo que facilita a atacantes remotos adivinar contraseñas a través de un ataque de fuerza bruta. • http://rhn.redhat.com/errata/RHSA-2014-0816.html http://www.securityfocus.com/bid/68299 https://access.redhat.com/security/cve/CVE-2014-3489 https://bugzilla.redhat.com/show_bug.cgi?id=1107853 • CWE-255: Credentials Management Errors CWE-321: Use of Hard-coded Cryptographic Key •
CVSS: 4.9EPSS: 0%CPEs: 7EXPL: 0CVE-2014-0184 – CFME: root password is written to evm.log when entered during VM provisioning
https://notcve.org/view.php?id=CVE-2014-0184
Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 logs the root password when deploying a VM, which allows local users to obtain sensitive information by reading the evm.log file. Red Hat CloudForms 3.0 Management Engine (CFME) anterior a 5.2.4.2 registra la contraseña root cuando implementa un VM, lo que permite a usuarios locales obtener información sensible mediante la lectura del fichero evm.log. • http://rhn.redhat.com/errata/RHSA-2014-0816.html https://access.redhat.com/security/cve/CVE-2014-0184 https://bugzilla.redhat.com/show_bug.cgi?id=1089131 • CWE-255: Credentials Management Errors CWE-522: Insufficiently Protected Credentials •
CVSS: 5.0EPSS: 0%CPEs: 7EXPL: 0CVE-2014-0180 – CFME: app/controllers/application_controller.rb wait_for_task DoS
https://notcve.org/view.php?id=CVE-2014-0180
The wait_for_task function in app/controllers/application_controller.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via unspecified vectors. La función wait_for_task en app/controllers/application_controller.rb en Red Hat CloudForms 3.0 Management Engine (CFME) anterior a 5.2.4.2 permite a atacantes remotos causar una denegación de servicio (bucle infinito y consumo de CPU) a través de vectores no especificados. • http://rhn.redhat.com/errata/RHSA-2014-0816.html https://access.redhat.com/security/cve/CVE-2014-0180 https://bugzilla.redhat.com/show_bug.cgi?id=1087909 • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •