CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2014-0078 – CFME: multiple authorization bypass vulnerabilities in CatalogController
https://notcve.org/view.php?id=CVE-2014-0078
12 May 2014 — The CatalogController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to delete arbitrary catalogs via vectors involving guessing the catalog ID. CatalogController en Red Hat CloudForms Management Engine (CFME) anterior a 5.2.3.2 permite a usuarios remotos autenticados eliminar catálogos arbitrarios a través de vectores involucrando adivinar el identificador del catálogo. Red Hat CloudForms Management Engine delivers the insight, control, and automation needed... • http://rhn.redhat.com/errata/RHSA-2014-0469.html • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2014-0057 – CFME: Dangerous send in ServiceController
https://notcve.org/view.php?id=CVE-2014-0057
11 Mar 2014 — The x_button method in the ServiceController (vmdb/app/controllers/service_controller.rb) in Red Hat CloudForms 3.0 Management Engine 5.2 allows remote attackers to execute arbitrary methods via unspecified vectors. El método x_button en el controlador de servicio (vmdb/app/controllers/service_controller.rb) en Red Hat CloudForms 3.0 Management Engine 5.2 permite a atacantes remotos ejecutar métodos arbitrarios a través de vectores no especificados. Red Hat CloudForms Management Engine delivers the insight,... • http://rhn.redhat.com/errata/RHSA-2014-0215.html • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 4.3EPSS: 0%CPEs: 186EXPL: 0CVE-2014-0081 – rubygem-actionpack: number_to_currency, number_to_percentage and number_to_human XSS vulnerability
https://notcve.org/view.php?id=CVE-2014-0081
20 Feb 2014 — Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper. Múltiples vulnerabilidades de XSS en actionview/lib/action_view/helpers/number_helper.rb en Ruby on Rails ante... • http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2013-6443 – CFME: GET request CSRF vulnerability
https://notcve.org/view.php?id=CVE-2013-6443
14 Jan 2014 — CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request. CloudForms 3.0 Management Engine anterior a la versión 5.2.1.6 permite a atacantes remotos evadir el mecanismo protect_from_forgery de Ruby on Rails y llevar a cabo ataques de CSRF a través de una acción destructiva en una petición. Red Hat CloudForms Management Engine delivers the insig... • http://rhn.redhat.com/errata/RHSA-2014-0025.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 5%CPEs: 2EXPL: 3CVE-2013-2050 – Red Hat CloudForms Management Engine 5.1 miq_policy/explorer SQL Injection
https://notcve.org/view.php?id=CVE-2013-2050
27 Dec 2013 — SQL injection vulnerability in the miq_policy controller in Red Hat CloudForms 2.0 Management Engine (CFME) 5.1 and ManageIQ Enterprise Virtualization Manager 5.0 and earlier allows remote authenticated users to execute arbitrary SQL commands via the profile[] parameter in an explorer action. Vulnerabilidad de inyección SQL en el controlador miq_policy para Red Hat CloudForms 2.0 Management Engine (CFME) 5.1 y ManageIQ Enterprise Virtualization Manager 5.0 y anteriores permite a usuarios remotos autenticado... • https://packetstorm.news/files/id/124609 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 58%CPEs: 1EXPL: 3CVE-2013-2068 – RedHat CloudForms Management Engine 5.1 - agent/linuxpkgs Directory Traversal
https://notcve.org/view.php?id=CVE-2013-2068
04 Sep 2013 — Multiple directory traversal vulnerabilities in the AgentController in Red Hat CloudForms Management Engine 2.0 allow remote attackers to create and overwrite arbitrary files via a .. (dot dot) in the filename parameter to the (1) log, (2) upload, or (3) linuxpkgs method. Múltiples vulnerabilidades de recorrido de directorios en AgentController de Red Hat CloudForms Management Engine 2.0, permite a un atacante remoto crear y sobreescribir archivos a discrección a traés de un .. (punto punto) en el parámetro... • https://packetstorm.news/files/id/124569 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2013-4172 – interface: Ruby code injection
https://notcve.org/view.php?id=CVE-2013-4172
19 Aug 2013 — The Red Hat CloudForms Management Engine 5.1 allow remote administrators to execute arbitrary Ruby code via unspecified vectors. Red Hat CloudForms Management Engine v5.1 permite a administradores remotos ejecutar código Ruby arbitrario a través de vectores no especificados. Red Hat CloudForms Management Engine provides the insight, control, and automation needed to address the challenges of managing virtual environments. An input sanitization flaw was found in Red Hat CloudForms Management Engine. A user w... • http://rhn.redhat.com/errata/RHSA-2013-1157.html • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 1CVE-2012-6117 – Configserver: Passwords from application blueprint stored plaintext in configserver.log
https://notcve.org/view.php?id=CVE-2012-6117
12 Mar 2013 — Aeolus Configuration Server, as used in Red Hat CloudForms Cloud Engine before 1.1.2, uses world-readable permissions for /var/log/aeolus-configserver/configserver.log, which allows local users to read plaintext passwords by reading the log file. Aeolus Configuration Server, como se usaba en Hat CloudForms Cloud Engine anterior a v1.1.2, usa permisos de lectura para todos en /var/log/aeolus-configserver/configserver.log, lo que permite que usuario locales lean contraseñas en texto plano mediante la lectura ... • http://rhn.redhat.com/errata/RHSA-2013-0545.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 1CVE-2012-5509 – aeolus-configserver: aeolus-configserver-setup /tmp file conductor credentials leak
https://notcve.org/view.php?id=CVE-2012-5509
12 Mar 2013 — aeolus-configserver-setup in the Aeolas Configuration Server, as used in Red Hat CloudForms Cloud Engine before 1.1.2, uses world-readable permissions for a temporary file in /tmp, which allows local users to read credentials by reading this file. aeolus-configserver-setup en el Aeolas Configuration Server, como se usaba en Red Hat CloudForms Cloud Engine anterior a v1.1.2, usa permisos de lectura para todos en un fichero temporal en /tmp, lo que permite que usuarios locales lean credenciales mediante la le... • http://rhn.redhat.com/errata/RHSA-2013-0545.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2012-5604
https://notcve.org/view.php?id=CVE-2012-5604
01 Mar 2013 — The ldap_fluff gem for Ruby, as used in Red Hat CloudForms 1.1, when using Active Directory for authentication, allows remote attackers to bypass authentication via unspecified vectors. La gema ldap_fluff para Ruby, tal y como se emplea en Red Hat CloudForms 1.1, cuando se emplea Active Directory para la autenticación, permite que atacantes remotos omitan la autenticación mediante vectores sin especificar. • http://rhn.redhat.com/errata/RHSA-2013-0544.html • CWE-264: Permissions, Privileges, and Access Controls •