Red Hat CloudForms 3.0

CPE Details

Red Hat CloudForms 3.0
redhat
cloudforms
3.0
2014-01-23
17h14 +00:00
2014-01-23
17h22 +00:00
CPE NVD
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
Notifications manage

CPE Name: cpe:2.3:a:redhat:cloudforms:3.0:*:*:*:*:*:*:*

Informations

Vendor

redhat

Product

cloudforms

Version

3.0

Related CVE

Open and find in CVE List

CVE ID Published Description Score Severity
CVE-2020-25716 2021-06-07 18h27 +00:00 A flaw was found in Cloudforms. A role-based privileges escalation flaw where export or import of administrator files is possible. An attacker with a specific group can perform actions restricted only to system administrator. This is the affect of an incomplete fix for CVE-2020-10783. The highest threat from this vulnerability is to data confidentiality and integrity. Versions before cfme 5.11.10.1 are affected
8.1
High
CVE-2020-14369 2020-12-02 13h28 +00:00 This release fixes a Cross Site Request Forgery vulnerability was found in Red Hat CloudForms which forces end users to execute unwanted actions on a web application in which the user is currently authenticated. An attacker can make a forgery HTTP request to the server by crafting custom flash file which can force the user to perform state changing requests like provisioning VMs, running ansible playbooks and so forth.
6.3
Medium
CVE-2020-14325 2020-08-11 10h49 +00:00 Red Hat CloudForms before 5.11.7.0 was vulnerable to the User Impersonation authorization flaw which allows malicious attacker to create existent and non-existent role-based access control user, with groups and roles. With a selected group of EvmGroup-super_administrator, an attacker can perform any API request as a super administrator.
9.1
Critical
CVE-2014-0197 2019-12-13 11h48 +00:00 CFME: CSRF protection vulnerability via permissive check of the referrer header
8.8
High
CVE-2013-4423 2019-11-04 11h49 +00:00 CloudForms stores user passwords in recoverable format
5.5
Medium
CVE-2013-0186 2019-11-01 17h38 +00:00 Multiple cross-site scripting (XSS) vulnerabilities in ManageIQ EVM allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
6.1
Medium
CVE-2016-4471 2017-06-08 16h00 +00:00 ManageIQ in CloudForms before 4.1 allows remote authenticated users to execute arbitrary code.
8.8
High
CVE-2014-0057 2014-03-18 13h00 +00:00 The x_button method in the ServiceController (vmdb/app/controllers/service_controller.rb) in Red Hat CloudForms 3.0 Management Engine 5.2 allows remote attackers to execute arbitrary methods via unspecified vectors.
7.5
CVE-2014-0081 2014-02-20 10h00 +00:00 Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.
4.3
CVE-2013-6443 2014-01-23 00h00 +00:00 CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request.
6.8
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.