CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2014-3642 – CFME: dangerous send method in performance.rb
https://notcve.org/view.php?id=CVE-2014-3642
03 Oct 2014 — vmdb/app/controllers/application_controller/performance.rb in Red Hat CloudForms 3.1 Management Engine (CFME) before 5.3 allows remote authenticated users to gain privileges via unspecified vectors, related to an "insecure send method." vmdb/app/controllers/application_controller/performance.rb en Red Hat CloudForms 3.1 Management Engine (CFME) anterior a 5.3 permite a usuarios remotos autenticados ganar privilegios a través de vectores no especificados, relacionado con un 'método de envió inseguro.' It was... • http://rhn.redhat.com/errata/RHSA-2014-1317.html • CWE-264: Permissions, Privileges, and Access Controls CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2014-0140 – CFME: default routes expose controllers and actions
https://notcve.org/view.php?id=CVE-2014-0140
03 Oct 2014 — Red Hat CloudForms 3.1 Management Engine (CFME) before 5.3 allows remote authenticated users to access sensitive controllers and actions via a direct HTTP or HTTPS request. Red Hat CloudForms 3.1 Management Engine (CFME) anterior a 5.3 permite a usuarios remotos autenticados acceder a controladores y acciones sensibles a través de una solicitud HTTP o HTTPS directa. It was found that Red Hat CloudForms exposed default routes that were reachable via HTTP(S) requests. An authenticated user could use this flaw... • http://rhn.redhat.com/errata/RHSA-2014-1317.html • CWE-264: Permissions, Privileges, and Access Controls CWE-749: Exposed Dangerous Method or Function •