CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2013-6443 – CFME: GET request CSRF vulnerability
https://notcve.org/view.php?id=CVE-2013-6443
14 Jan 2014 — CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request. CloudForms 3.0 Management Engine anterior a la versión 5.2.1.6 permite a atacantes remotos evadir el mecanismo protect_from_forgery de Ruby on Rails y llevar a cabo ataques de CSRF a través de una acción destructiva en una petición. Red Hat CloudForms Management Engine delivers the insig... • http://rhn.redhat.com/errata/RHSA-2014-0025.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2012-5604
https://notcve.org/view.php?id=CVE-2012-5604
01 Mar 2013 — The ldap_fluff gem for Ruby, as used in Red Hat CloudForms 1.1, when using Active Directory for authentication, allows remote attackers to bypass authentication via unspecified vectors. La gema ldap_fluff para Ruby, tal y como se emplea en Red Hat CloudForms 1.1, cuando se emplea Active Directory para la autenticación, permite que atacantes remotos omitan la autenticación mediante vectores sin especificar. • http://rhn.redhat.com/errata/RHSA-2013-0544.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2012-5603 – Katello: lack of authorization in proxies_controller.rb
https://notcve.org/view.php?id=CVE-2012-5603
04 Jan 2013 — proxies_controller.rb in Katello in Red Hat CloudForms before 1.1 does not properly check permissions, which allows remote authenticated users to read consumer certificates or change arbitrary users' settings via unspecified vectors related to the "consumer UUID" of a system. proxies_controller.rb en Katello en Red Hat CloudForms anterior a v1.1 no comprueba los permisos de forma adecuada, lo que permite a usuarios remotos autenticados leer certificados de consumidores o cambiar especificaciones de usuarios... • http://osvdb.org/88140 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2012-5605 – grinder: /var/lib/pulp/cache/grinder directory is world-writeable
https://notcve.org/view.php?id=CVE-2012-5605
04 Jan 2013 — Grinder in Red Hat CloudForms before 1.1 uses world-writable permissions for /var/lib/pulp/cache/grinder/, which allows local users to modify grinder cache files. Grinder en Red Hat CloudForms anteriores a v1.1 usa permisos "world-writable" para /var/lib/pulp/cache/grinder/, lo que permite a usuarios locales modificar la caché de los ficheros grinder. • http://osvdb.org/88141 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2012-4574 – pulp /etc/pulp/pulp.conf world readable, contains default admin password
https://notcve.org/view.php?id=CVE-2012-4574
04 Jan 2013 — Pulp in Red Hat CloudForms before 1.1 uses world-readable permissions for pulp.conf, which allows local users to read the administrative password by reading this file. Pulp en Red Hat CloudForms anteriores a v1.1 usa permisos "world-readable" en pulp.conf, lo que permite a usuarios locales a leer las contraseñas administrativas leyendo este fichero. • http://osvdb.org/88138 • CWE-255: Credentials Management Errors •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2012-3538 – katello: pulp admin password logged in plaintext in world-readable katello/production.log
https://notcve.org/view.php?id=CVE-2012-3538
04 Jan 2013 — Pulp in Red Hat CloudForms before 1.1 logs administrative passwords in a world-readable file, which allows local users to read pulp administrative passwords by reading production.log. Pulp en Red Hat CloudForms anteriores a v1.1 registra las contraseñas administrativas en un fichero legible, lo que permite a usuarios locales a leer contraseñas administrativas leyendo el fichero production.log. • http://osvdb.org/88139 • CWE-255: Credentials Management Errors •