CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2018-10905 – cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root
https://notcve.org/view.php?id=CVE-2018-10905
CloudForms Management Engine (cfme) is vulnerable to an improper security setting in the dRuby component of CloudForms. An attacker with access to an unprivileged local shell could use this flaw to execute commands as a high privileged user. CloudForms Management Engine (cfme) es vulnerable a una opción de seguridad incorrecta en el componente dRuby de CloudForms. Un atacante con acceso a un shell local sin privilegios podría emplear este error para ejecutar comandos como usuario con altos privilegios. CloudForms Management Engine has a vulnerability that allows local users to execute arbitrary commands as root. • https://access.redhat.com/errata/RHSA-2018:2561 https://access.redhat.com/errata/RHSA-2018:2745 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10905 https://access.redhat.com/security/cve/CVE-2018-10905 https://bugzilla.redhat.com/show_bug.cgi?id=1602190 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-284: Improper Access Control •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15125 – cloudforms: XSS in self-service UI snapshot feature
https://notcve.org/view.php?id=CVE-2017-15125
A flaw was found in CloudForms before 5.9.0.22 in the self-service UI snapshot feature where the name field is not properly sanitized for HTML and JavaScript input. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms. Please note that CSP (Content Security Policy) prevents exploitation of this XSS however not all browsers support CSP. Se ha encontrado un fallo en CloudForms en versiones anteriores a la 5.9.0.22 en la función de instantánea de la interfaz de usuario de autoservicio, donde el campo de nombre no está correctamente saneado para la entrada de código HTML y JavaScript. Un atacante podría aprovechar este fallo para ejecutar un ataque de Cross-Site Scripting (XSS) persistente en un administrador de aplicaciones que emplee CloudForms. • http://www.securityfocus.com/bid/102287 https://access.redhat.com/errata/RHSA-2018:0380 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15125 https://access.redhat.com/security/cve/CVE-2017-15125 https://bugzilla.redhat.com/show_bug.cgi?id=1517396 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •