Skip to main content

Cloudforms CVE-2013-6443

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2014-01-23 secalert@redhat.com
6.8
CVSS 2.0 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

AV:N/AC:M/Au:N/C:P/I:P/A:P
Attack Vector
Network
Attack Complexity
M
Confidentiality
P
Integrity
P
Availability
P

Lifecycle Timeline

1
CVE Published
Jan 23, 2014 - 01:55 cve.org
MEDIUM 6.8

DescriptionCVE.org

CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request.

AnalysisAI

CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request. Affected products include: Redhat Cloudforms, Redhat Cloudforms 3.0 Management Engine. Version information: before 5.2.1.6.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

CVE-2017-11610 HIGH POC
8.8 Aug 23

The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows rem

CVE-2018-1000544 CRITICAL POC
9.8 Jun 26

rubyzip gem rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability in Zip::File component that c

CVE-2018-7750 CRITICAL POC
9.8 Mar 13

transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x

CVE-2019-5419 HIGH POC
7.5 Mar 27

There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where

CVE-2019-5418 HIGH POC
7.5 Mar 27

There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where spe

CVE-2018-16476 HIGH POC
7.5 Nov 30

A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can c

CVE-2018-3760 HIGH POC
7.5 Jun 26

There is an information leak vulnerability in Sprockets. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2019-11358 MEDIUM POC
6.1 Apr 20

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) becaus

CVE-2018-11627 MEDIUM POC
6.1 May 31

Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception. Rated medium sever

CVE-2019-16892 MEDIUM POC
5.5 Sep 25

In Rubyzip before 1.3.0, a crafted ZIP file can bypass application checks on ZIP entry sizes because data about the unco

CVE-2016-4471 HIGH
8.8 Jun 08

ManageIQ in CloudForms before 4.1 allows remote authenticated users to execute arbitrary code. Rated high severity (CVSS

CVE-2020-14325 CRITICAL
9.1 Aug 11

Red Hat CloudForms before 5.11.7.0 was vulnerable to the User Impersonation authorization flaw which allows malicious at

Share

CVE-2013-6443 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy