CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2014-0057 – CFME: Dangerous send in ServiceController
https://notcve.org/view.php?id=CVE-2014-0057
The x_button method in the ServiceController (vmdb/app/controllers/service_controller.rb) in Red Hat CloudForms 3.0 Management Engine 5.2 allows remote attackers to execute arbitrary methods via unspecified vectors. El método x_button en el controlador de servicio (vmdb/app/controllers/service_controller.rb) en Red Hat CloudForms 3.0 Management Engine 5.2 permite a atacantes remotos ejecutar métodos arbitrarios a través de vectores no especificados. • http://rhn.redhat.com/errata/RHSA-2014-0215.html http://secunia.com/advisories/57376 https://bugzilla.redhat.com/show_bug.cgi?id=1064140 https://access.redhat.com/security/cve/CVE-2014-0057 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 4.3EPSS: 0%CPEs: 186EXPL: 0CVE-2014-0081 – rubygem-actionpack: number_to_currency, number_to_percentage and number_to_human XSS vulnerability
https://notcve.org/view.php?id=CVE-2014-0081
Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper. Múltiples vulnerabilidades de XSS en actionview/lib/action_view/helpers/number_helper.rb en Ruby on Rails anterior a 3.2.17, 4.0.x anterior a 4.0.3 y 4.1.x anterior a 4.1.0.beta2 permiten a atacantes remotos inyectar script Web o HTML arbitrarios a través del parámetro (1) format, (2) negative_format, o (3) units hacia la ayuda de (a) number_to_currency, (b) number_to_percentage, o (c) number_to_human. • http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html http://openwall.com/lists/oss-security/2014/02/18/8 http://rhn.redhat.com/errata/RHSA-2014-0215.html http://rhn.redhat.com/errata/RHSA-2014-0306.html http://secunia.com/advisories/57376 http://www.securityfocus.com/bid/65647 http://www.securitytracker.com/id/1029782 https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ https://access.redhat.com/security/cve/CVE-2014-0081 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2013-6443 – CFME: GET request CSRF vulnerability
https://notcve.org/view.php?id=CVE-2013-6443
CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request. CloudForms 3.0 Management Engine anterior a la versión 5.2.1.6 permite a atacantes remotos evadir el mecanismo protect_from_forgery de Ruby on Rails y llevar a cabo ataques de CSRF a través de una acción destructiva en una petición. • http://rhn.redhat.com/errata/RHSA-2014-0025.html http://www.securitytracker.com/id/1029606 https://access.redhat.com/security/cve/CVE-2013-6443 https://bugzilla.redhat.com/show_bug.cgi?id=1044178 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2012-5604
https://notcve.org/view.php?id=CVE-2012-5604
The ldap_fluff gem for Ruby, as used in Red Hat CloudForms 1.1, when using Active Directory for authentication, allows remote attackers to bypass authentication via unspecified vectors. La gema ldap_fluff para Ruby, tal y como se emplea en Red Hat CloudForms 1.1, cuando se emplea Active Directory para la autenticación, permite que atacantes remotos omitan la autenticación mediante vectores sin especificar. • http://rhn.redhat.com/errata/RHSA-2013-0544.html https://bugzilla.redhat.com/show_bug.cgi?id=882136 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2012-3538 – katello: pulp admin password logged in plaintext in world-readable katello/production.log
https://notcve.org/view.php?id=CVE-2012-3538
Pulp in Red Hat CloudForms before 1.1 logs administrative passwords in a world-readable file, which allows local users to read pulp administrative passwords by reading production.log. Pulp en Red Hat CloudForms anteriores a v1.1 registra las contraseñas administrativas en un fichero legible, lo que permite a usuarios locales a leer contraseñas administrativas leyendo el fichero production.log. • http://osvdb.org/88139 http://rhn.redhat.com/errata/RHSA-2012-1543.html http://secunia.com/advisories/51472 http://www.securityfocus.com/bid/56819 https://exchange.xforce.ibmcloud.com/vulnerabilities/80547 https://access.redhat.com/security/cve/CVE-2012-3538 https://bugzilla.redhat.com/show_bug.cgi?id=852199 • CWE-255: Credentials Management Errors •