Vulnerabilities > Redhat > Cloudforms > Medium

DATE CVE VULNERABILITY TITLE RISK
2020-12-02 CVE-2020-14369 Cross-Site Request Forgery (CSRF) vulnerability in Redhat Cloudforms
This release fixes a Cross Site Request Forgery vulnerability was found in Red Hat CloudForms which forces end users to execute unwanted actions on a web application in which the user is currently authenticated.
network
low complexity
redhat CWE-352
6.3
2020-08-11 CVE-2020-10779 Authorization Bypass Through User-Controlled Key vulnerability in Redhat Cloudforms 4.7/5.0.0
Red Hat CloudForms 4.7 and 5 leads to insecure direct object references (IDOR) and functional level access control bypass due to missing privilege check.
network
low complexity
redhat CWE-639
6.5
2020-08-11 CVE-2020-10778 Incorrect Resource Transfer Between Spheres vulnerability in Redhat Cloudforms 4.7/5.0.0
In Red Hat CloudForms 4.7 and 5, the read only widgets can be edited by inspecting the forms and dropping the disabled attribute from the fields since there is no server-side validation.
network
low complexity
redhat CWE-669
6.0
2020-08-11 CVE-2020-10777 Cross-site Scripting vulnerability in Redhat Cloudforms 4.7/5.0.0
A cross-site scripting flaw was found in Report Menu feature of Red Hat CloudForms 4.7 and 5.
network
low complexity
redhat CWE-79
5.4
2019-11-04 CVE-2013-4423 Insufficiently Protected Credentials vulnerability in Redhat Cloudforms 3.0
CloudForms stores user passwords in recoverable format
local
low complexity
redhat CWE-522
5.5
2019-11-01 CVE-2013-0186 Cross-site Scripting vulnerability in Redhat products
Multiple cross-site scripting (XSS) vulnerabilities in ManageIQ EVM allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
network
low complexity
redhat CWE-79
6.1
2019-09-25 CVE-2019-16892 In Rubyzip before 1.3.0, a crafted ZIP file can bypass application checks on ZIP entry sizes because data about the uncompressed size can be spoofed.
local
low complexity
rubyzip-project fedoraproject redhat
5.5
2019-06-14 CVE-2019-10159 Unspecified vulnerability in Redhat Cfme-Gemset and Cloudforms
cfme-gemset versions 5.10.4.3 and below, 5.9.9.3 and below are vulnerable to a data leak, due to an improper authorization in the migration log controller.
network
low complexity
redhat
4.3
2019-04-20 CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. 6.1
2018-09-11 CVE-2016-7047 Information Exposure vulnerability in Redhat Cloudforms and Cloudforms Management Engine
A flaw was found in the CloudForms API before 5.6.3.0, 5.7.3.1 and 5.8.1.2.
network
low complexity
redhat CWE-200
4.3