Vulnerabilities > Apache > Cloudstack

DATE CVE VULNERABILITY TITLE RISK
2024-10-16 CVE-2024-45461 Missing Authorization vulnerability in Apache Cloudstack
The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default.
network
low complexity
apache CWE-862
6.3
2024-10-16 CVE-2024-45462 Unspecified vulnerability in Apache Cloudstack
The logout operation in the CloudStack web interface does not expire the user session completely which is valid until expiry by time or restart of the backend service.
local
low complexity
apache
7.1
2024-10-16 CVE-2024-45693 Unspecified vulnerability in Apache Cloudstack
Users logged into the Apache CloudStack's web interface can be tricked to submit malicious CSRF requests due to missing validation of the origin of the requests.
network
low complexity
apache
8.8
2024-08-07 CVE-2024-42062 Incorrect Authorization vulnerability in Apache Cloudstack
CloudStack account-users by default use username and password based authentication for API and UI access.
network
low complexity
apache CWE-863
7.2
2024-08-07 CVE-2024-42222 Unspecified vulnerability in Apache Cloudstack 4.19.1.0
In Apache CloudStack 4.19.1.0, a regression in the network listing API allows unauthorised list access of network details for domain admin and normal user accounts.
network
low complexity
apache
4.3
2024-07-19 CVE-2024-41107 Unspecified vulnerability in Apache Cloudstack
The CloudStack SAML authentication (disabled by default) does not enforce signature check.
network
high complexity
apache
8.1
2024-07-05 CVE-2024-38346 Unspecified vulnerability in Apache Cloudstack
The CloudStack cluster service runs on unauthenticated port (default 9090) that can be misused to run arbitrary commands on targeted hypervisors and CloudStack management server hosts.
network
low complexity
apache
critical
9.8
2024-07-05 CVE-2024-39864 Unspecified vulnerability in Apache Cloudstack
The CloudStack integration API service allows running its unauthenticated API server (usually on port 8096 when configured and enabled via integration.api.port global setting) for internal portal integrations and for testing purposes.
network
low complexity
apache
critical
9.8
2022-07-18 CVE-2022-35741 XXE vulnerability in Apache Cloudstack
Apache CloudStack version 4.5.0 and later has a SAML 2.0 authentication Service Provider plugin which is found to be vulnerable to XML external entity (XXE) injection.
network
low complexity
apache CWE-611
critical
9.8
2022-03-15 CVE-2022-26779 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache Cloudstack
Apache CloudStack prior to 4.16.1.0 used insecure random number generation for project invitation tokens.
network
high complexity
apache CWE-338
7.5