CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-7813
https://notcve.org/view.php?id=CVE-2014-7813
18 Oct 2017 — Red Hat CloudForms 3 Management Engine (CFME) allows remote authenticated users to cause a denial of service (resource consumption) via vectors involving calls to the .to_sym rails function and lack of garbage collection of inserted symbols. Red Hat CloudForms 3 Management Engine (CFME) permite que usuarios autenticados remotos provoquen una denegación de servicio (consumo de recursos) mediante vectores que implican llamadas a la función de Rails .to_sym y la falta de recolección de elementos no utilizados ... • https://bugzilla.redhat.com/show_bug.cgi?id=1157872 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2014-3642 – CFME: dangerous send method in performance.rb
https://notcve.org/view.php?id=CVE-2014-3642
03 Oct 2014 — vmdb/app/controllers/application_controller/performance.rb in Red Hat CloudForms 3.1 Management Engine (CFME) before 5.3 allows remote authenticated users to gain privileges via unspecified vectors, related to an "insecure send method." vmdb/app/controllers/application_controller/performance.rb en Red Hat CloudForms 3.1 Management Engine (CFME) anterior a 5.3 permite a usuarios remotos autenticados ganar privilegios a través de vectores no especificados, relacionado con un 'método de envió inseguro.' It was... • http://rhn.redhat.com/errata/RHSA-2014-1317.html • CWE-264: Permissions, Privileges, and Access Controls CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2014-0140 – CFME: default routes expose controllers and actions
https://notcve.org/view.php?id=CVE-2014-0140
03 Oct 2014 — Red Hat CloudForms 3.1 Management Engine (CFME) before 5.3 allows remote authenticated users to access sensitive controllers and actions via a direct HTTP or HTTPS request. Red Hat CloudForms 3.1 Management Engine (CFME) anterior a 5.3 permite a usuarios remotos autenticados acceder a controladores y acciones sensibles a través de una solicitud HTTP o HTTPS directa. It was found that Red Hat CloudForms exposed default routes that were reachable via HTTP(S) requests. An authenticated user could use this flaw... • http://rhn.redhat.com/errata/RHSA-2014-1317.html • CWE-264: Permissions, Privileges, and Access Controls CWE-749: Exposed Dangerous Method or Function •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-0136 – CFME: AgentController get/log application log forging
https://notcve.org/view.php?id=CVE-2014-0136
14 Aug 2014 — The (1) get and (2) log methods in the AgentController in Red Hat CloudForms 3.0 Management Engine (CFME) 5.x allow remote attackers to insert arbitrary text into log files via unspecified vectors. Los métodos (1) get y (2) log en AgentController en Red Hat CloudForms 3.0 Management Engine (CFME) 5.x permiten a atacantes remotos insertar texto arbitrario en ficheros del registro a través de vectores no especificados. It was found that the get and log methods of the AgentController wrote log messages without... • http://rhn.redhat.com/errata/RHSA-2014-1037.html • CWE-20: Improper Input Validation CWE-117: Improper Output Neutralization for Logs •
CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 0CVE-2014-3486 – CFME: SSH Utility insecure tmp file creation leading to code execution as root
https://notcve.org/view.php?id=CVE-2014-3486
30 Jun 2014 — The (1) shell_exec function in lib/util/MiqSshUtilV1.rb and (2) temp_cmd_file function in lib/util/MiqSshUtilV2.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allow local users to execute arbitrary commands via a symlink attack on a temporary file with a predictable name. (1) La función shell_exec en lib/util/MiqSshUtilV1.rb y (2) la función temp_cmd_file en lib/util/MiqSshUtilV2.rb en Red Hat CloudForms 3.0 Management Engine (CFME) anterior a 5.2.4.2 permiten a usuarios locales ejecut... • http://rhn.redhat.com/errata/RHSA-2014-0816.html • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-377: Insecure Temporary File •
CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 0CVE-2014-3489 – CFME: Default salt value in miq-password.rb
https://notcve.org/view.php?id=CVE-2014-3489
30 Jun 2014 — lib/util/miq-password.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 uses a hard-coded salt, which makes it easier for remote attackers to guess passwords via a brute force attack. lib/util/miq-password.rb en Red Hat CloudForms 3.0 Management Engine (CFME) anterior a 5.2.4.2 utiliza un salt embebido, lo que facilita a atacantes remotos adivinar contraseñas a través de un ataque de fuerza bruta. Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to... • http://rhn.redhat.com/errata/RHSA-2014-0816.html • CWE-255: Credentials Management Errors CWE-321: Use of Hard-coded Cryptographic Key •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2014-0176 – CFME: reflected XSS in several places due to missing JavaScript escaping
https://notcve.org/view.php?id=CVE-2014-0176
30 Jun 2014 — Cross-site scripting (XSS) vulnerability in application/panel_control in CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en application/panel_control en CloudForms 3.0 Management Engine (CFME) anterior a 5.2.4.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. Red Hat CloudForms Management Engine delivers the insight, co... • http://rhn.redhat.com/errata/RHSA-2014-0816.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2014-0180 – CFME: app/controllers/application_controller.rb wait_for_task DoS
https://notcve.org/view.php?id=CVE-2014-0180
30 Jun 2014 — The wait_for_task function in app/controllers/application_controller.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via unspecified vectors. La función wait_for_task en app/controllers/application_controller.rb en Red Hat CloudForms 3.0 Management Engine (CFME) anterior a 5.2.4.2 permite a atacantes remotos causar una denegación de servicio (bucle infinito y consumo de CPU) a través de vectores no ... • http://rhn.redhat.com/errata/RHSA-2014-0816.html • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2014-0184 – CFME: root password is written to evm.log when entered during VM provisioning
https://notcve.org/view.php?id=CVE-2014-0184
30 Jun 2014 — Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 logs the root password when deploying a VM, which allows local users to obtain sensitive information by reading the evm.log file. Red Hat CloudForms 3.0 Management Engine (CFME) anterior a 5.2.4.2 registra la contraseña root cuando implementa un VM, lo que permite a usuarios locales obtener información sensible mediante la lectura del fichero evm.log. Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to ad... • http://rhn.redhat.com/errata/RHSA-2014-0816.html • CWE-255: Credentials Management Errors CWE-522: Insufficiently Protected Credentials •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2014-0137 – CFME: ReportController SQL injection
https://notcve.org/view.php?id=CVE-2014-0137
12 May 2014 — SQL injection vulnerability in the saved_report_delete action in the ReportController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to MiqReportResult.exists. Vulnerabilidad de inyección SQL en la acción saved_report_delete en ReportController en Red Hat CloudForms Management Engine (CFME) anterior a 5.2.3.2 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través de... • http://rhn.redhat.com/errata/RHSA-2014-0469.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •