CVE-2013-6460
https://notcve.org/view.php?id=CVE-2013-6460
Nokogiri gem 1.5.x has Denial of Service via infinite loop when parsing XML documents La gema Nokogiri versiones 1.5.x, tiene una Denegación de Servicio por medio de un bucle infinito cuando se analizan documentos XML. • http://www.openwall.com/lists/oss-security/2013/12/27/2 http://www.securityfocus.com/bid/64513 https://access.redhat.com/security/cve/cve-2013-6460 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6460 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-6460 https://exchange.xforce.ibmcloud.com/vulnerabilities/90058 https://security-tracker.debian.org/tracker/CVE-2013-6460 • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVE-2018-10854 – cloudforms: stored cross-site scripting in Name field
https://notcve.org/view.php?id=CVE-2018-10854
cloudforms version, cloudforms 5.8 and cloudforms 5.9, is vulnerable to a cross-site-scripting. A flaw was found in CloudForms's v2v infrastructure mapping delete feature. A stored cross-site scripting due to improper sanitization of user input in Name field. La versión de Cloudforms, Cloudforms versión 5.8 y Cloudforms versión 5.9, son vulnerables a un ataque de tipo cross-site-scripting. Se encontró un fallo en la funcionalidad de eliminación de mapeo de infraestructura v2v de CloudForms. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10854 https://access.redhat.com/security/cve/CVE-2018-10854 https://bugzilla.redhat.com/show_bug.cgi?id=1590538 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-7528
https://notcve.org/view.php?id=CVE-2017-7528
Ansible Tower as shipped with Red Hat CloudForms Management Engine 5 is vulnerable to CRLF Injection. It was found that X-Forwarded-For header allows internal servers to deploy other systems (using callback). Ansible Tower tal y como viene con Red Hat CloudForms Management Engine 5 es vulnerable a la inyección de CRLF. Se ha detectado que la cabecera X-Forwarded-For permite a los servidores internos desplegar otros sistemas (usando callback). • http://www.securityfocus.com/bid/105143 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7528 • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVE-2017-15125 – cloudforms: XSS in self-service UI snapshot feature
https://notcve.org/view.php?id=CVE-2017-15125
A flaw was found in CloudForms before 5.9.0.22 in the self-service UI snapshot feature where the name field is not properly sanitized for HTML and JavaScript input. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms. Please note that CSP (Content Security Policy) prevents exploitation of this XSS however not all browsers support CSP. Se ha encontrado un fallo en CloudForms en versiones anteriores a la 5.9.0.22 en la función de instantánea de la interfaz de usuario de autoservicio, donde el campo de nombre no está correctamente saneado para la entrada de código HTML y JavaScript. Un atacante podría aprovechar este fallo para ejecutar un ataque de Cross-Site Scripting (XSS) persistente en un administrador de aplicaciones que emplee CloudForms. • http://www.securityfocus.com/bid/102287 https://access.redhat.com/errata/RHSA-2018:0380 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15125 https://access.redhat.com/security/cve/CVE-2017-15125 https://bugzilla.redhat.com/show_bug.cgi?id=1517396 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-0087 – CFME: check_privileges logic error resulting in privilege escalation
https://notcve.org/view.php?id=CVE-2014-0087
The check_privileges method in vmdb/app/controllers/application_controller.rb in ManageIQ, as used in Red Hat CloudForms Management Engine (CFME), allows remote authenticated users to bypass authorization and gain privileges by leveraging improper RBAC checking, related to the rbac_user_edit action. El método check_privileges en vmdb/app/controllers/application_controller.rb en ManageIQ, tal y como se emplea en Red Hat CloudForms Management Engine (CFME), permite que usuarios autenticados remotos omitan la autorización y obtengan privilegios aprovechando una comprobación RBAC indebida, relacionada con la acción rbac_user_edit. • https://bugzilla.redhat.com/show_bug.cgi?id=1067623 https://github.com/ManageIQ/manageiq/issues/1581 https://access.redhat.com/security/cve/CVE-2014-0087 • CWE-264: Permissions, Privileges, and Access Controls CWE-285: Improper Authorization •