Filtered by vendor Redhat Subscriptions
Filtered by product Cloudforms Subscriptions
Total 50 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2019-11358 11 Backdropcms, Debian, Drupal and 8 more 114 Backdrop, Debian Linux, Drupal and 111 more 2024-11-15 6.1 Medium
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CVE-2018-1053 4 Canonical, Debian, Postgresql and 1 more 6 Ubuntu Linux, Debian Linux, Postgresql and 3 more 2024-09-17 N/A
In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, 9.6.x before 9.6.7 and 10.x before 10.2, pg_upgrade creates file in current working directory containing the output of `pg_dumpall -g` under umask which was in effect when the user invoked pg_upgrade, and not under 0077 which is normally used for other temporary files. This can allow an authenticated attacker to read or modify the one file, which may contain encrypted or unencrypted database passwords. The attack is infeasible if a directory mode blocks the attacker searching the current working directory or if the prevailing umask blocks the attacker opening the file.
CVE-2018-1058 3 Canonical, Postgresql, Redhat 5 Ubuntu Linux, Postgresql, Cloudforms and 2 more 2024-09-17 8.8 High
A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database. Versions 9.3 through 10 are affected.
CVE-2018-1101 1 Redhat 3 Ansible Tower, Cloudforms, Cloudforms Managementengine 2024-09-17 N/A
Ansible Tower before version 3.2.4 has a flaw in the management of system and organization administrators that allows for privilege escalation. System administrators that are members of organizations can have their passwords reset by organization administrators, allowing organization administrators access to the entire system.
CVE-2018-1104 1 Redhat 3 Ansible Tower, Cloudforms, Cloudforms Managementengine 2024-09-16 N/A
Ansible Tower through version 3.2.3 has a vulnerability that allows users only with access to define variables for a job template to execute arbitrary code on the Tower server.
CVE-2018-3760 3 Debian, Redhat, Sprockets Project 6 Debian Linux, Cloudforms, Cloudforms Managementengine and 3 more 2024-09-16 N/A
There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application's root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.
CVE-2012-5605 2 Cloudforms Tools, Redhat 2 1, Cloudforms 2024-08-06 N/A
Grinder in Red Hat CloudForms before 1.1 uses world-writable permissions for /var/lib/pulp/cache/grinder/, which allows local users to modify grinder cache files.
CVE-2012-5604 1 Redhat 1 Cloudforms 2024-08-06 N/A
The ldap_fluff gem for Ruby, as used in Red Hat CloudForms 1.1, when using Active Directory for authentication, allows remote attackers to bypass authentication via unspecified vectors.
CVE-2012-5603 3 Cloudforms Tools, Redhat, Rhel Sam 3 1, Cloudforms, 1.2 2024-08-06 N/A
proxies_controller.rb in Katello in Red Hat CloudForms before 1.1 does not properly check permissions, which allows remote authenticated users to read consumer certificates or change arbitrary users' settings via unspecified vectors related to the "consumer UUID" of a system.
CVE-2012-4574 2 Cloudforms Tools, Redhat 3 1, Cloudforms, Rhui 2024-08-06 N/A
Pulp in Red Hat CloudForms before 1.1 uses world-readable permissions for pulp.conf, which allows local users to read the administrative password by reading this file.
CVE-2012-3538 2 Cloudforms Tools, Redhat 2 1, Cloudforms 2024-08-06 N/A
Pulp in Red Hat CloudForms before 1.1 logs administrative passwords in a world-readable file, which allows local users to read pulp administrative passwords by reading production.log.
CVE-2013-6443 1 Redhat 3 Cloudforms, Cloudforms 3.0 Management Engine, Cloudforms Managementengine 2024-08-06 N/A
CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request.
CVE-2013-4423 1 Redhat 2 Cloudforms, Cloudforms Managementengine 2024-08-06 5.5 Medium
CloudForms stores user passwords in recoverable format
CVE-2013-4172 1 Redhat 3 Cloudforms, Cloudforms Management Engine, Cloudforms Managementengine 2024-08-06 N/A
The Red Hat CloudForms Management Engine 5.1 allow remote administrators to execute arbitrary Ruby code via unspecified vectors.
CVE-2013-2068 1 Redhat 2 Cloudforms, Cloudforms Management Engine 2024-08-06 N/A
Multiple directory traversal vulnerabilities in the AgentController in Red Hat CloudForms Management Engine 2.0 allow remote attackers to create and overwrite arbitrary files via a .. (dot dot) in the filename parameter to the (1) log, (2) upload, or (3) linuxpkgs method.
CVE-2013-0186 1 Redhat 3 Cloudforms, Cloudforms Managementengine, Manageiq Enterprise Virtualization Manager 2024-08-06 6.1 Medium
Multiple cross-site scripting (XSS) vulnerabilities in ManageIQ EVM allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2014-0197 1 Redhat 3 Cloudforms, Cloudforms Management Engine, Cloudforms Managementengine 2024-08-06 8.8 High
CFME: CSRF protection vulnerability via permissive check of the referrer header
CVE-2014-0081 4 Opensuse, Opensuse Project, Redhat and 1 more 8 Opensuse, Opensuse, Cloudforms and 5 more 2024-08-06 N/A
Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.
CVE-2014-0057 1 Redhat 3 Cloudforms, Cloudforms 3.0 Management Engine, Cloudforms Managementengine 2024-08-06 N/A
The x_button method in the ServiceController (vmdb/app/controllers/service_controller.rb) in Red Hat CloudForms 3.0 Management Engine 5.2 allows remote attackers to execute arbitrary methods via unspecified vectors.
CVE-2015-7502 1 Redhat 3 Cloudforms, Cloudforms Management Engine, Cloudforms Managementengine 2024-08-06 N/A
Red Hat CloudForms 3.2 Management Engine (CFME) 5.4.4 and CloudForms 4.0 Management Engine (CFME) 5.5.0 do not properly encrypt data in the backend PostgreSQL database, which might allow local users to obtain sensitive data and consequently gain privileges by leveraging access to (1) database exports or (2) log files.