CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2014-3692 – CFME: default fallback password in customization_templates.yml
https://notcve.org/view.php?id=CVE-2014-3692
The customization template in Red Hat CloudForms 3.1 Management Engine (CFME) 5.3 uses a default password for the root account when a password is not specified for a new image, which allows remote attackers to gain privileges. La plantilla customization en Red Hat CloudForms 3.1 Management Engine (CFME) 5.3 utiliza una contraseña por defecto para la cuenta de root cuando no se especifca una contraseña para una imagen nueva, lo que permite a atacantes remotos ganar privilegios. It was found that the CloudForms Management Engine customization template used a default root password for newly created images if no root password was specified. • http://rhn.redhat.com/errata/RHSA-2015-0028.html http://secunia.com/advisories/62255 https://access.redhat.com/security/cve/CVE-2014-3692 https://bugzilla.redhat.com/show_bug.cgi?id=1151258 • CWE-255: Credentials Management Errors CWE-798: Use of Hard-coded Credentials •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2014-0140 – CFME: default routes expose controllers and actions
https://notcve.org/view.php?id=CVE-2014-0140
Red Hat CloudForms 3.1 Management Engine (CFME) before 5.3 allows remote authenticated users to access sensitive controllers and actions via a direct HTTP or HTTPS request. Red Hat CloudForms 3.1 Management Engine (CFME) anterior a 5.3 permite a usuarios remotos autenticados acceder a controladores y acciones sensibles a través de una solicitud HTTP o HTTPS directa. It was found that Red Hat CloudForms exposed default routes that were reachable via HTTP(S) requests. An authenticated user could use this flaw to access potentially sensitive controllers and actions that would allow for privilege escalation. • http://rhn.redhat.com/errata/RHSA-2014-1317.html https://bugzilla.redhat.com/show_bug.cgi?id=1077359 https://access.redhat.com/security/cve/CVE-2014-0140 • CWE-264: Permissions, Privileges, and Access Controls CWE-749: Exposed Dangerous Method or Function •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2014-3642 – CFME: dangerous send method in performance.rb
https://notcve.org/view.php?id=CVE-2014-3642
vmdb/app/controllers/application_controller/performance.rb in Red Hat CloudForms 3.1 Management Engine (CFME) before 5.3 allows remote authenticated users to gain privileges via unspecified vectors, related to an "insecure send method." vmdb/app/controllers/application_controller/performance.rb en Red Hat CloudForms 3.1 Management Engine (CFME) anterior a 5.3 permite a usuarios remotos autenticados ganar privilegios a través de vectores no especificados, relacionado con un 'método de envió inseguro.' It was found that Red Hat CloudForms contained an insecure send method that accepted user-supplied arguments. An authenticated user could use this flaw to modify the program flow in a way that could result in privilege escalation. • http://rhn.redhat.com/errata/RHSA-2014-1317.html https://bugzilla.redhat.com/show_bug.cgi?id=1092894 https://access.redhat.com/security/cve/CVE-2014-3642 • CWE-264: Permissions, Privileges, and Access Controls CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2014-0136 – CFME: AgentController get/log application log forging
https://notcve.org/view.php?id=CVE-2014-0136
The (1) get and (2) log methods in the AgentController in Red Hat CloudForms 3.0 Management Engine (CFME) 5.x allow remote attackers to insert arbitrary text into log files via unspecified vectors. Los métodos (1) get y (2) log en AgentController en Red Hat CloudForms 3.0 Management Engine (CFME) 5.x permiten a atacantes remotos insertar texto arbitrario en ficheros del registro a través de vectores no especificados. It was found that the get and log methods of the AgentController wrote log messages without sanitizing user input. A remote attacker could use this flaw to insert arbitrary content into the log files written to by AgentController. • http://rhn.redhat.com/errata/RHSA-2014-1037.html http://www.securityfocus.com/bid/69233 https://access.redhat.com/security/cve/CVE-2014-0136 https://bugzilla.redhat.com/show_bug.cgi?id=1076669 • CWE-20: Improper Input Validation CWE-117: Improper Output Neutralization for Logs •
CVSS: 4.3EPSS: 0%CPEs: 7EXPL: 0CVE-2014-0176 – CFME: reflected XSS in several places due to missing JavaScript escaping
https://notcve.org/view.php?id=CVE-2014-0176
Cross-site scripting (XSS) vulnerability in application/panel_control in CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en application/panel_control en CloudForms 3.0 Management Engine (CFME) anterior a 5.2.4.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. • http://rhn.redhat.com/errata/RHSA-2014-0816.html https://access.redhat.com/security/cve/CVE-2014-0176 https://bugzilla.redhat.com/show_bug.cgi?id=1086463 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •