CVSS: 5.1EPSS: 0%CPEs: 4EXPL: 0CVE-2015-7502 – CloudForms: insecure password storage in PostgreSQL database
https://notcve.org/view.php?id=CVE-2015-7502
08 Dec 2015 — Red Hat CloudForms 3.2 Management Engine (CFME) 5.4.4 and CloudForms 4.0 Management Engine (CFME) 5.5.0 do not properly encrypt data in the backend PostgreSQL database, which might allow local users to obtain sensitive data and consequently gain privileges by leveraging access to (1) database exports or (2) log files. Red Hat CloudForms 3.2 Management Engine (CFME) 5.4.4 y CloudForms 4.0 Management Engine (CFME) 5.5.0 no cifra correctamente datos en el backend de base de datos PostgreSQL, lo que podría perm... • http://rhn.redhat.com/errata/RHSA-2015-2620.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 1CVE-2012-6685 – rubygem-nokogiri: XML eXternal Entity (XXE) flaw
https://notcve.org/view.php?id=CVE-2012-6685
13 Aug 2015 — Nokogiri before 1.5.4 is vulnerable to XXE attacks Nokogiri versiones anteriores a 1.5.4, es vulnerable a ataques de tipo XXE. OS X Yosemite 10.10.5 and Security Update 2015-006 is now available and addresses vulnerabilities in Apache, the OD plug-in, IOBluetoothHCIController, and more. • https://bugzilla.redhat.com/show_bug.cgi?id=1178970 • CWE-611: Improper Restriction of XML External Entity Reference CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVSS: 8.8EPSS: 40%CPEs: 2EXPL: 3CVE-2013-2050 – Red Hat CloudForms Management Engine 5.1 miq_policy/explorer SQL Injection
https://notcve.org/view.php?id=CVE-2013-2050
27 Dec 2013 — SQL injection vulnerability in the miq_policy controller in Red Hat CloudForms 2.0 Management Engine (CFME) 5.1 and ManageIQ Enterprise Virtualization Manager 5.0 and earlier allows remote authenticated users to execute arbitrary SQL commands via the profile[] parameter in an explorer action. Vulnerabilidad de inyección SQL en el controlador miq_policy para Red Hat CloudForms 2.0 Management Engine (CFME) 5.1 y ManageIQ Enterprise Virtualization Manager 5.0 y anteriores permite a usuarios remotos autenticado... • https://packetstorm.news/files/id/124609 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 75%CPEs: 1EXPL: 3CVE-2013-2068 – Red Hat CloudForms Management Engine 5.1 agent/linuxpkgs Path Traversal
https://notcve.org/view.php?id=CVE-2013-2068
04 Sep 2013 — Multiple directory traversal vulnerabilities in the AgentController in Red Hat CloudForms Management Engine 2.0 allow remote attackers to create and overwrite arbitrary files via a .. (dot dot) in the filename parameter to the (1) log, (2) upload, or (3) linuxpkgs method. Múltiples vulnerabilidades de recorrido de directorios en AgentController de Red Hat CloudForms Management Engine 2.0, permite a un atacante remoto crear y sobreescribir archivos a discrección a traés de un .. (punto punto) en el parámetro... • https://packetstorm.news/files/id/124569 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2013-4172 – interface: Ruby code injection
https://notcve.org/view.php?id=CVE-2013-4172
19 Aug 2013 — The Red Hat CloudForms Management Engine 5.1 allow remote administrators to execute arbitrary Ruby code via unspecified vectors. Red Hat CloudForms Management Engine v5.1 permite a administradores remotos ejecutar código Ruby arbitrario a través de vectores no especificados. Red Hat CloudForms Management Engine provides the insight, control, and automation needed to address the challenges of managing virtual environments. An input sanitization flaw was found in Red Hat CloudForms Management Engine. A user w... • http://rhn.redhat.com/errata/RHSA-2013-1157.html • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') •