Redhat: >> Subscription Asset Manager >> 1.1.0 Security Vulnerabilities
CVE-2014-0130
Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request.
Known exploited
CVSS Score
7.5
EPSS Score
0.205
Published
2014-05-07
Candlepin in Red Hat Subscription Asset Manager 1.0 through 1.3 uses a weak authentication scheme when the configuration file does not specify a scheme, which has unspecified impact and attack vectors.
CVSS Score
9.3
EPSS Score
0.004
Published
2013-12-23
Cross-site scripting (XSS) vulnerability in the Notifications form in Red Hat Subscription Asset Manager before 1.2.1 allows remote attackers to inject arbitrary web script or HTML via the username field.
CVSS Score
4.3
EPSS Score
0.003
Published
2013-04-02
Candlepin before 0.7.24, as used in Red Hat Subscription Asset Manager before 1.2.1, does not properly check manifest signatures, which allows local users to modify manifests.
CVSS Score
2.1
EPSS Score
0.001
Published
2013-04-02