Vulnerabilities > Redhat > Cloudforms Management Engine > High

DATE CVE VULNERABILITY TITLE RISK
2020-08-11 CVE-2020-14296 Server-Side Request Forgery (SSRF) vulnerability in Redhat Cloudforms Management Engine 4.7/5.0
Red Hat CloudForms 4.7 and 5 was vulnerable to Server-Side Request Forgery (SSRF) flaw.
network
low complexity
redhat CWE-918
7.1
2020-06-22 CVE-2019-14894 Unspecified vulnerability in Redhat Cloudforms Management Engine 5.10/5.11
A flaw was found in the CloudForms management engine version 5.10 and CloudForms management version 5.11, which triggered remote code execution through NFS schedule backup.
network
low complexity
redhat
7.2
2020-02-19 CVE-2012-6685 XML Entity Expansion vulnerability in multiple products
Nokogiri before 1.5.4 is vulnerable to XXE attacks
network
low complexity
nokogiri redhat CWE-776
7.5
2019-12-13 CVE-2014-0197 Cross-Site Request Forgery (CSRF) vulnerability in Redhat Cloudforms and Cloudforms Management Engine
CFME: CSRF protection vulnerability via permissive check of the referrer header
network
low complexity
redhat CWE-352
8.8
2018-10-31 CVE-2016-5402 Unspecified vulnerability in Redhat Cloudforms and Cloudforms Management Engine
A code injection flaw was found in the way capacity and utilization imported control files are processed.
network
low complexity
redhat
8.8
2018-09-10 CVE-2016-7071 Improper Authorization vulnerability in Redhat Cloudforms and Cloudforms Management Engine
It was found that the CloudForms before 5.6.2.2, and 5.7.0.7 did not properly apply permissions controls to VM IDs passed by users.
network
low complexity
redhat CWE-285
8.8
2018-07-27 CVE-2017-2639 Unspecified vulnerability in Redhat Cloudforms and Cloudforms Management Engine
It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a custom CA and communicating with Red Hat Virtualization (RHEV) and OpenShift.
network
low complexity
redhat
7.5
2018-07-26 CVE-2017-7530 Unspecified vulnerability in Redhat Cloudforms and Cloudforms Management Engine
In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users.
network
low complexity
redhat
8.8
2018-07-24 CVE-2018-10905 OS Command Injection vulnerability in Redhat Cloudforms and Cloudforms Management Engine
CloudForms Management Engine (cfme) is vulnerable to an improper security setting in the dRuby component of CloudForms.
local
low complexity
redhat CWE-78
7.8
2018-05-01 CVE-2013-2049 Session Fixation vulnerability in Redhat Cloudforms Management Engine 2.0
Red Hat CloudForms 2 Management Engine (CFME) allows remote attackers to conduct session tampering attacks by leveraging use of a static secret_token.rb secret.
network
low complexity
redhat CWE-384
7.5