Vulnerabilities > Redhat > Cloudforms > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-11-30 | CVE-2018-16476 | Deserialization of Untrusted Data vulnerability in multiple products A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. | 5.0 |
| 2018-09-11 | CVE-2016-7047 | Information Exposure vulnerability in Redhat Cloudforms and Cloudforms Management Engine A flaw was found in the CloudForms API before 5.6.3.0, 5.7.3.1 and 5.8.1.2. | 4.3 |
| 2018-07-27 | CVE-2017-2632 | Incorrect Authorization vulnerability in Redhat Cloudforms and Cloudforms Management Engine A logic error in valid_role() in CloudForms role validation before 5.7.1.3 could allow a tenant administrator to create groups with a higher privilege level than the tenant administrator should have. | 4.0 |
| 2018-07-27 | CVE-2017-2653 | Improper Input Validation vulnerability in Redhat Cloudforms and Cloudforms Management Engine A number of unused delete routes are present in CloudForms before 5.7.2.1 which can be accessed via GET requests instead of just POST requests. | 6.5 |
| 2018-07-26 | CVE-2017-2664 | Unspecified vulnerability in Redhat Cloudforms and Cloudforms Management Engine CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1 lacks RBAC controls on certain methods in the rails application portion of CloudForms. | 4.0 |
| 2018-07-26 | CVE-2017-7530 | Unspecified vulnerability in Redhat Cloudforms and Cloudforms Management Engine In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. | 6.5 |
| 2018-07-03 | CVE-2018-10855 | Information Exposure Through Log Files vulnerability in multiple products Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. | 4.3 |
| 2018-06-26 | CVE-2018-3760 | Information Exposure vulnerability in multiple products There is an information leak vulnerability in Sprockets. | 5.0 |
| 2018-05-31 | CVE-2018-11627 | Cross-site Scripting vulnerability in multiple products Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception. | 4.3 |
| 2018-05-02 | CVE-2018-1104 | Code Injection vulnerability in Redhat Ansible Tower and Cloudforms Ansible Tower through version 3.2.3 has a vulnerability that allows users only with access to define variables for a job template to execute arbitrary code on the Tower server. | 6.5 |