Cross-Site Request Forgery Vulnerability in CloudForms by Red Hat
CVE-2017-2653

4.1MEDIUM

Key Information:

Vendor
Red Hat
Vendor
CVE Published:
27 July 2018

Summary

CloudForms, prior to version 5.7.2.1, exposes certain unused delete routes that can be manipulated through GET requests instead of the intended POST requests. This flaw can potentially allow an attacker to circumvent XSRF protections, providing an opportunity to exploit the application using various attack vectors. Successful exploitation would likely require additional techniques, such as cross-site scripting, to fully leverage this vulnerability.

Affected Version(s)

CloudForms 5.7.2.1

References

CVSS V3.1

Score:
4.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.