Cross-Site Request Forgery Vulnerability in CloudForms by Red Hat
CVE-2017-2653

4.1MEDIUM

Key Information:

Vendor
Red Hat
Status
Cloudforms
Vendor
CVE Published:
27 July 2018

Summary

CloudForms, prior to version 5.7.2.1, exposes certain unused delete routes that can be manipulated through GET requests instead of the intended POST requests. This flaw can potentially allow an attacker to circumvent XSRF protections, providing an opportunity to exploit the application using various attack vectors. Successful exploitation would likely require additional techniques, such as cross-site scripting, to fully leverage this vulnerability.

Affected Version(s)

CloudForms 5.7.2.1

References

https://access.redhat.com/errata/RHSA-2017:0898
vendor-advisoryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2653
x_refsource_CONFIRM
http://www.securityfocus.com/bid/96964
vdb-entryx_refsource_BID

CVSS V3.1

Score:
4.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.