CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2014-0078 – CFME: multiple authorization bypass vulnerabilities in CatalogController
https://notcve.org/view.php?id=CVE-2014-0078
12 May 2014 — The CatalogController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to delete arbitrary catalogs via vectors involving guessing the catalog ID. CatalogController en Red Hat CloudForms Management Engine (CFME) anterior a 5.2.3.2 permite a usuarios remotos autenticados eliminar catálogos arbitrarios a través de vectores involucrando adivinar el identificador del catálogo. Red Hat CloudForms Management Engine delivers the insight, control, and automation needed... • http://rhn.redhat.com/errata/RHSA-2014-0469.html • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2014-0057 – CFME: Dangerous send in ServiceController
https://notcve.org/view.php?id=CVE-2014-0057
11 Mar 2014 — The x_button method in the ServiceController (vmdb/app/controllers/service_controller.rb) in Red Hat CloudForms 3.0 Management Engine 5.2 allows remote attackers to execute arbitrary methods via unspecified vectors. El método x_button en el controlador de servicio (vmdb/app/controllers/service_controller.rb) en Red Hat CloudForms 3.0 Management Engine 5.2 permite a atacantes remotos ejecutar métodos arbitrarios a través de vectores no especificados. Red Hat CloudForms Management Engine delivers the insight,... • http://rhn.redhat.com/errata/RHSA-2014-0215.html • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2013-6443 – CFME: GET request CSRF vulnerability
https://notcve.org/view.php?id=CVE-2013-6443
14 Jan 2014 — CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request. CloudForms 3.0 Management Engine anterior a la versión 5.2.1.6 permite a atacantes remotos evadir el mecanismo protect_from_forgery de Ruby on Rails y llevar a cabo ataques de CSRF a través de una acción destructiva en una petición. Red Hat CloudForms Management Engine delivers the insig... • http://rhn.redhat.com/errata/RHSA-2014-0025.html • CWE-352: Cross-Site Request Forgery (CSRF) •