CVE-2013-0186 – EVM: Stored XSS
https://notcve.org/view.php?id=CVE-2013-0186
Multiple cross-site scripting (XSS) vulnerabilities in ManageIQ EVM allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Múltiples vulnerabilidades de tipo cross-site scripting (XSS) en ManageIQ EVM, permiten a atacantes remotos inyectar script web o HTML arbitrario por medio de vectores no especificados. • https://access.redhat.com/errata/RHSA-2014:0215 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0186 https://access.redhat.com/security/cve/CVE-2013-0186 https://bugzilla.redhat.com/show_bug.cgi?id=895346 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-0185
https://notcve.org/view.php?id=CVE-2013-0185
Cross-site request forgery (CSRF) vulnerability in ManageIQ Enterprise Virtualization Manager (EVM) allows remote attackers to hijack the authentication of users for requests that have unspecified impact via unknown vectors. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en ManageIQ Enterprise Virtualization Manager (EVM) permite que atacantes remotos secuestren la autenticación de usuarios para peticiones que provocan un impacto sin especificar mediante vectores desconocidos. • https://bugzilla.redhat.com/show_bug.cgi?id=895345 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2013-2050 – Red Hat CloudForms Management Engine 5.1 miq_policy/explorer SQL Injection
https://notcve.org/view.php?id=CVE-2013-2050
SQL injection vulnerability in the miq_policy controller in Red Hat CloudForms 2.0 Management Engine (CFME) 5.1 and ManageIQ Enterprise Virtualization Manager 5.0 and earlier allows remote authenticated users to execute arbitrary SQL commands via the profile[] parameter in an explorer action. Vulnerabilidad de inyección SQL en el controlador miq_policy para Red Hat CloudForms 2.0 Management Engine (CFME) 5.1 y ManageIQ Enterprise Virtualization Manager 5.0 y anteriores permite a usuarios remotos autenticados ejecutar comandos SQL de forma arbitraria a través del parámetro profile[] en una acción de explorador. • http://packetstormsecurity.com/files/124609/cfme_manageiq_evm_pass_reset.rb.txt http://secunia.com/advisories/56181 http://www.securityfocus.com/bid/64524 https://bugzilla.redhat.com/show_bug.cgi?id=959062 https://exchange.xforce.ibmcloud.com/vulnerabilities/89984 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •