Vulnerabilities > Redhat > Cloudforms > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-12-02 | CVE-2020-14369 | Cross-Site Request Forgery (CSRF) vulnerability in Redhat Cloudforms This release fixes a Cross Site Request Forgery vulnerability was found in Red Hat CloudForms which forces end users to execute unwanted actions on a web application in which the user is currently authenticated. | 6.8 |
| 2020-08-11 | CVE-2020-14325 | Incorrect Authorization vulnerability in Redhat Cloudforms Red Hat CloudForms before 5.11.7.0 was vulnerable to the User Impersonation authorization flaw which allows malicious attacker to create existent and non-existent role-based access control user, with groups and roles. | 6.4 |
| 2020-08-11 | CVE-2020-10783 | Incorrect Authorization vulnerability in Redhat Cloudforms 4.7/5.0.0 Red Hat CloudForms 4.7 and 5 is affected by a role-based privilege escalation flaw. | 6.5 |
| 2020-08-11 | CVE-2020-10779 | Missing Authorization vulnerability in Redhat Cloudforms 4.7/5.0.0 Red Hat CloudForms 4.7 and 5 leads to insecure direct object references (IDOR) and functional level access control bypass due to missing privilege check. | 4.0 |
| 2020-08-11 | CVE-2020-10778 | Incorrect Authorization vulnerability in Redhat Cloudforms 4.7/5.0.0 In Red Hat CloudForms 4.7 and 5, the read only widgets can be edited by inspecting the forms and dropping the disabled attribute from the fields since there is no server-side validation. | 6.5 |
| 2019-11-04 | CVE-2013-4423 | Insufficiently Protected Credentials vulnerability in Redhat Cloudforms 3.0 CloudForms stores user passwords in recoverable format | 5.5 |
| 2019-11-01 | CVE-2013-0186 | Cross-site Scripting vulnerability in Redhat products Multiple cross-site scripting (XSS) vulnerabilities in ManageIQ EVM allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 6.1 |
| 2019-09-25 | CVE-2019-16892 | In Rubyzip before 1.3.0, a crafted ZIP file can bypass application checks on ZIP entry sizes because data about the uncompressed size can be spoofed. | 5.5 |
| 2019-06-14 | CVE-2019-10159 | Improper Authorization vulnerability in Redhat Cfme-Gemset and Cloudforms cfme-gemset versions 5.10.4.3 and below, 5.9.9.3 and below are vulnerable to a data leak, due to an improper authorization in the migration log controller. | 4.3 |
| 2019-04-20 | CVE-2019-11358 | jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. | 6.1 |