Vulnerabilities > Redhat > Cloudforms > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-05-02 | CVE-2018-1101 | Weak Password Requirements vulnerability in Redhat Ansible Tower and Cloudforms Ansible Tower before version 3.2.4 has a flaw in the management of system and organization administrators that allows for privilege escalation. | 6.5 |
| 2017-06-08 | CVE-2016-4471 | Permissions, Privileges, and Access Controls vulnerability in Redhat Cloudforms ManageIQ in CloudForms before 4.1 allows remote authenticated users to execute arbitrary code. | 6.5 |
| 2016-08-26 | CVE-2016-5383 | Improper Access Control vulnerability in Redhat Cloudforms 4.1 The web UI in Red Hat CloudForms 4.1 allows remote authenticated users to execute arbitrary code via vectors involving "Lack of field filters." | 6.5 |
| 2016-04-11 | CVE-2015-7502 | Information Exposure vulnerability in Redhat Cloudforms and Cloudforms Management Engine Red Hat CloudForms 3.2 Management Engine (CFME) 5.4.4 and CloudForms 4.0 Management Engine (CFME) 5.5.0 do not properly encrypt data in the backend PostgreSQL database, which might allow local users to obtain sensitive data and consequently gain privileges by leveraging access to (1) database exports or (2) log files. | 5.1 |
| 2014-02-20 | CVE-2014-0081 | Cross-Site Scripting vulnerability in multiple products Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper. | 4.3 |
| 2014-01-23 | CVE-2013-6443 | Cross-Site Request Forgery (CSRF) vulnerability in Redhat Cloudforms and Cloudforms 3.0 Management Engine CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request. | 6.8 |
| 2013-03-01 | CVE-2012-5604 | Permissions, Privileges, and Access Controls vulnerability in Redhat Cloudforms 1.1 The ldap_fluff gem for Ruby, as used in Red Hat CloudForms 1.1, when using Active Directory for authentication, allows remote attackers to bypass authentication via unspecified vectors. | 4.3 |
| 2013-01-04 | CVE-2012-5603 | Permissions, Privileges, and Access Controls vulnerability in Redhat Cloudforms 1.0 proxies_controller.rb in Katello in Red Hat CloudForms before 1.1 does not properly check permissions, which allows remote authenticated users to read consumer certificates or change arbitrary users' settings via unspecified vectors related to the "consumer UUID" of a system. | 5.5 |