CVSS: 9.1EPSS: 1%CPEs: 1EXPL: 0CVE-2020-14324 – CloudForms: Out-of-band OS Command Injection through conversion host
https://notcve.org/view.php?id=CVE-2020-14324
06 Aug 2020 — A high severity vulnerability was found in all active versions of Red Hat CloudForms before 5.11.7.0. The out of band OS command injection vulnerability can be exploited by authenticated attacker while setuping conversion host through Infrastructure Migration Solution. This flaw allows attacker to execute arbitrary commands on CloudForms server. Se encontró una vulnerabilidad de alta gravedad en todas las versiones activas de Red Hat CloudForms versiones anteriores a 5.11.7.0. La vulnerabilidad de inyección... • https://access.redhat.com/security/cve/cve-2020-14324 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2014-0197 – CFME: CSRF protection vulnerability in referrer header
https://notcve.org/view.php?id=CVE-2014-0197
13 Dec 2019 — CFME: CSRF protection vulnerability via permissive check of the referrer header CFME: una vulnerabilidad de la protección CSRF mediante una comprobación permisiva del encabezado de referencia. • https://access.redhat.com/security/cve/cve-2014-0197 • CWE-285: Improper Authorization CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2018-10854 – cloudforms: stored cross-site scripting in Name field
https://notcve.org/view.php?id=CVE-2018-10854
05 Sep 2019 — cloudforms version, cloudforms 5.8 and cloudforms 5.9, is vulnerable to a cross-site-scripting. A flaw was found in CloudForms's v2v infrastructure mapping delete feature. A stored cross-site scripting due to improper sanitization of user input in Name field. La versión de Cloudforms, Cloudforms versión 5.8 y Cloudforms versión 5.9, son vulnerables a un ataque de tipo cross-site-scripting. Se encontró un fallo en la funcionalidad de eliminación de mapeo de infraestructura v2v de CloudForms. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10854 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-10177
https://notcve.org/view.php?id=CVE-2019-10177
27 Jun 2019 — A stored cross-site scripting (XSS) vulnerability was found in the PDF export component of CloudForms, versions 5.9 and 5.10, due to user input is not properly sanitized. An attacker with least privilege to edit compute is able to execute a XSS attack against other users, which could lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Se encontró una vulnerabilidad almacenada de cross-site scripting (XSS) en el componente de exportación a PDF de CloudForms, ver... • http://www.securityfocus.com/bid/109065 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15123
https://notcve.org/view.php?id=CVE-2017-15123
12 Jun 2019 — A flaw was found in the CloudForms web interface, versions 5.8 - 5.10, where the RSS feed URLs are not properly restricted to authenticated users only. An attacker could use this flaw to view potentially sensitive information from CloudForms including data such as newly created virtual machines. Se descubrió un defecto en el CloudFoms en el interface, versiones 5.8- 5.10, donde las URL de las fuentes RSS No están restringidas adecuadamente para los usuarios autorizados solamente. Un atacante podría usar est... • http://www.securityfocus.com/bid/108690 • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2018-10905 – cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root
https://notcve.org/view.php?id=CVE-2018-10905
24 Jul 2018 — CloudForms Management Engine (cfme) is vulnerable to an improper security setting in the dRuby component of CloudForms. An attacker with access to an unprivileged local shell could use this flaw to execute commands as a high privileged user. CloudForms Management Engine (cfme) es vulnerable a una opción de seguridad incorrecta en el componente dRuby de CloudForms. Un atacante con acceso a un shell local sin privilegios podría emplear este error para ejecutar comandos como usuario con altos privilegios. Clou... • https://access.redhat.com/errata/RHSA-2018:2561 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-284: Improper Access Control •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15125 – cloudforms: XSS in self-service UI snapshot feature
https://notcve.org/view.php?id=CVE-2017-15125
01 Mar 2018 — A flaw was found in CloudForms before 5.9.0.22 in the self-service UI snapshot feature where the name field is not properly sanitized for HTML and JavaScript input. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms. Please note that CSP (Content Security Policy) prevents exploitation of this XSS however not all browsers support CSP. Se ha encontrado un fallo en CloudForms en versiones anteriores a la 5.9.0.22 en la función de instantánea de la in... • http://www.securityfocus.com/bid/102287 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •