cloudforms · threatengine.sh

CVE-2020-25716

< 5.11.10.1

A flaw was found in Cloudforms. A role-based privileges escalation flaw where export or import of administrator files is possible.

8.1HIGH

CVE-2020-14369

<= 5.11

This release fixes a Cross Site Request Forgery vulnerability was found in Red Hat CloudForms which forces end users to execute un

6.3MEDIUM

CVE-2020-14325

< 5.11.7.0

Red Hat CloudForms before 5.11.7.0 was vulnerable to the User Impersonation authorization flaw which allows malicious attacker to

9.1CRITICAL

CVE-2020-10783

all versions

Red Hat CloudForms 4.7 and 5 is affected by a role-based privilege escalation flaw. An attacker with EVM-Operator group can perfor

8.3HIGH

CVE-2020-10779

all versions

Red Hat CloudForms 4.7 and 5 leads to insecure direct object references (IDOR) and functional level access control bypass due to m

6.5MEDIUM

CVE-2020-10778

all versions

In Red Hat CloudForms 4.7 and 5, the read only widgets can be edited by inspecting the forms and dropping the disabled attribute f

6.0MEDIUM

CVE-2020-10777

all versions

A cross-site scripting flaw was found in Report Menu feature of Red Hat CloudForms 4.7 and 5. An attacker could use this flaw to e

5.4MEDIUM

CVE-2014-0197

all versions

CFME: CSRF protection vulnerability via permissive check of the referrer header

8.8HIGH

CVE-2013-4423

all versions

CloudForms stores user passwords in recoverable format

5.5MEDIUM

CVE-2013-0186

all versions

Multiple cross-site scripting (XSS) vulnerabilities in ManageIQ EVM allows remote attackers to inject arbitrary web script or HTML

6.1MEDIUM

CVE-2019-16892

all versions

In Rubyzip before 1.3.0, a crafted ZIP file can bypass application checks on ZIP entry sizes because data about the uncompressed s

5.5MEDIUM

CVE-2019-10159

all versions

cfme-gemset versions 5.10.4.3 and below, 5.9.9.3 and below are vulnerable to a data leak, due to an improper authorization in the

4.3MEDIUM

CVE-2019-11358

all versions

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Objec

6.1MEDIUM

CVE-2019-5419

all versions

There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially

7.5HIGH

CVE-2019-5418

all versions

There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially cra

7.5HIGH

CVE-2018-16476

all versions

A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Activ

7.5HIGH

CVE-2016-5402

all versions

A code injection flaw was found in the way capacity and utilization imported control files are processed. A remote, authenticated

8.8HIGH

CVE-2016-7047

all versions

A flaw was found in the CloudForms API before 5.6.3.0, 5.7.3.1 and 5.8.1.2. A user with permissions to use the MiqReportResults ca

4.3MEDIUM

CVE-2016-7071

all versions

It was found that the CloudForms before 5.6.2.2, and 5.7.0.7 did not properly apply permissions controls to VM IDs passed by users

8.8HIGH

CVE-2017-2632

all versions

A logic error in valid_role() in CloudForms role validation before 5.7.1.3 could allow a tenant administrator to create groups wit

4.9MEDIUM

CVE-2017-2653

all versions

A number of unused delete routes are present in CloudForms before 5.7.2.1 which can be accessed via GET requests instead of just P

4.1MEDIUM

CVE-2017-12148

all versions

A flaw was found in Ansible Tower's interface before 3.1.5 and 3.2.0 with SCM repositories. If a Tower project (SCM repository) de

8.4HIGH

CVE-2017-2639

all versions

It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a cust

6.5MEDIUM

CVE-2017-2664

all versions

CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1 lacks RBAC controls on certain methods in the rails applic

6.5MEDIUM

CVE-2017-7530

all versions

In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invo

8.8HIGH

CVE-2018-10905

all versions

CloudForms Management Engine (cfme) is vulnerable to an improper security setting in the dRuby component of CloudForms. An attacke

7.8HIGH

CVE-2018-10855

all versions

Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has b

5.9MEDIUM

CVE-2018-3760

all versions

There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and low

7.5HIGH

CVE-2018-1000544

all versions

rubyzip gem rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability in Zip::File component that can result

9.8CRITICAL

CVE-2018-11627

all versions

Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.

6.1MEDIUM

CVE-2018-1104

all versions

Ansible Tower through version 3.2.3 has a vulnerability that allows users only with access to define variables for a job template

8.8HIGH

CVE-2018-1101

all versions

Ansible Tower before version 3.2.4 has a flaw in the management of system and organization administrators that allows for privileg

7.2HIGH

CVE-2018-7750

all versions

transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.

9.8CRITICAL

CVE-2018-1058

all versions

A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user a

8.8HIGH

CVE-2017-12191

all versions

A flaw was found in the CloudForms account configuration when using VMware. By default, a shared account is used that has privileg

7.4HIGH

CVE-2018-1053

all versions

In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, 9.6.x before 9.6.7 and 10.x before 10.2, pg_upgrade c

7.0HIGH

CVE-2017-11610

all versions

The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authen

8.8HIGH

CVE-2016-4471

<= 4.0

ManageIQ in CloudForms before 4.1 allows remote authenticated users to execute arbitrary code.

8.8HIGH

CVE-2016-5383

all versions

The web UI in Red Hat CloudForms 4.1 allows remote authenticated users to execute arbitrary code via vectors involving "Lack of fi

8.8HIGH

CVE-2015-7502

all versions

Red Hat CloudForms 3.2 Management Engine (CFME) 5.4.4 and CloudForms 4.0 Management Engine (CFME) 5.5.0 do not properly encrypt da

5.1MEDIUM

CVE-2014-0057

all versions

The x_button method in the ServiceController (vmdb/app/controllers/service_controller.rb) in Red Hat CloudForms 3.0 Management Eng

CVE-2014-0081

all versions

Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before

CVE-2013-6443

all versions

CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism

CVE-2012-5604

all versions

The ldap_fluff gem for Ruby, as used in Red Hat CloudForms 1.1, when using Active Directory for authentication, allows remote atta

CVE-2012-5605

<= 1.0

Grinder in Red Hat CloudForms before 1.1 uses world-writable permissions for /var/lib/pulp/cache/grinder/, which allows local user

CVE-2012-5603

<= 1.0

proxies_controller.rb in Katello in Red Hat CloudForms before 1.1 does not properly check permissions, which allows remote authent

CVE-2012-4574

<= 1.0

Pulp in Red Hat CloudForms before 1.1 uses world-readable permissions for pulp.conf, which allows local users to read the administ

CVE-2012-3538

<= 1.0

Pulp in Red Hat CloudForms before 1.1 logs administrative passwords in a world-readable file, which allows local users to read pul

redhat cloudforms