Page 5 of 39 results (0.005 seconds)

CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0

CloudForms Management Engine (cfme) is vulnerable to an improper security setting in the dRuby component of CloudForms. An attacker with access to an unprivileged local shell could use this flaw to execute commands as a high privileged user. CloudForms Management Engine (cfme) es vulnerable a una opción de seguridad incorrecta en el componente dRuby de CloudForms. Un atacante con acceso a un shell local sin privilegios podría emplear este error para ejecutar comandos como usuario con altos privilegios. CloudForms Management Engine has a vulnerability that allows local users to execute arbitrary commands as root. • https://access.redhat.com/errata/RHSA-2018:2561 https://access.redhat.com/errata/RHSA-2018:2745 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10905 https://access.redhat.com/security/cve/CVE-2018-10905 https://bugzilla.redhat.com/show_bug.cgi?id=1602190 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-284: Improper Access Control •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

A flaw was found in CloudForms before 5.9.0.22 in the self-service UI snapshot feature where the name field is not properly sanitized for HTML and JavaScript input. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms. Please note that CSP (Content Security Policy) prevents exploitation of this XSS however not all browsers support CSP. Se ha encontrado un fallo en CloudForms en versiones anteriores a la 5.9.0.22 en la función de instantánea de la interfaz de usuario de autoservicio, donde el campo de nombre no está correctamente saneado para la entrada de código HTML y JavaScript. Un atacante podría aprovechar este fallo para ejecutar un ataque de Cross-Site Scripting (XSS) persistente en un administrador de aplicaciones que emplee CloudForms. • http://www.securityfocus.com/bid/102287 https://access.redhat.com/errata/RHSA-2018:0380 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15125 https://access.redhat.com/security/cve/CVE-2017-15125 https://bugzilla.redhat.com/show_bug.cgi?id=1517396 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

The check_privileges method in vmdb/app/controllers/application_controller.rb in ManageIQ, as used in Red Hat CloudForms Management Engine (CFME), allows remote authenticated users to bypass authorization and gain privileges by leveraging improper RBAC checking, related to the rbac_user_edit action. El método check_privileges en vmdb/app/controllers/application_controller.rb en ManageIQ, tal y como se emplea en Red Hat CloudForms Management Engine (CFME), permite que usuarios autenticados remotos omitan la autorización y obtengan privilegios aprovechando una comprobación RBAC indebida, relacionada con la acción rbac_user_edit. • https://bugzilla.redhat.com/show_bug.cgi?id=1067623 https://github.com/ManageIQ/manageiq/issues/1581 https://access.redhat.com/security/cve/CVE-2014-0087 • CWE-264: Permissions, Privileges, and Access Controls CWE-285: Improper Authorization •

CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0

In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should not be allowed to (e.g. destroying VMs). En CloudForms Management Engine (cfme) en versiones anteriores a la 5.7.3 y versiones 5.8.x anteriores a la 5.8.1, se ha detectado que falta la comprobación de privilegios cuando se invocan métodos arbitrarios filtrando las máquinas virtuales que MiqExpression va a ejecutar. Esta condición puede ser desencadenada por los usuarios de la API. Un atacante podría utilizarlo para ejecutar acciones para las que no debería estar autorizado (por ejemplo, destruir máquinas virtuales). • http://www.securityfocus.com/bid/100151 https://access.redhat.com/errata/RHSA-2017:1758 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7530 https://access.redhat.com/security/cve/CVE-2017-7530 https://bugzilla.redhat.com/show_bug.cgi?id=1465448 • CWE-862: Missing Authorization •

CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0

CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1 lacks RBAC controls on certain methods in the rails application portion of CloudForms. An attacker with access could use a variety of methods within the rails application portion of CloudForms to escalate privileges. CloudForms Management Engine (cfme) en versiones anteriores a la 5.7.3 y 5.8.x anteriores a la 5.8.1 carece de controles RBAC en determinados métodos en la parte de la aplicación rails de CloudForms. Un atacante con acceso podría utilizar una variedad de métodos en la parte de la aplicación rails de CloudForms para escalar privilegios. CloudForms lacks RBAC controls on certain methods in the rails application portion of CloudForms. • http://www.securityfocus.com/bid/100148 https://access.redhat.com/errata/RHSA-2017:1758 https://access.redhat.com/errata/RHSA-2017:3484 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2664 https://access.redhat.com/security/cve/CVE-2017-2664 https://bugzilla.redhat.com/show_bug.cgi?id=1435393 • CWE-284: Improper Access Control •