CVE-2013-2050

Redhat Cloudforms Management Engine < 5.0 - SQL Injection

Title source: rule

Description

SQL injection vulnerability in the miq_policy controller in Red Hat CloudForms 2.0 Management Engine (CFME) 5.1 and ManageIQ Enterprise Virtualization Manager 5.0 and earlier allows remote authenticated users to execute arbitrary SQL commands via the profile[] parameter in an explorer action.

Exploits (1)

metasploit WORKING POC

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/cfme_manageiq_evm_pass_reset.rb

View Code ZIP pw:eip

References (5)

[Exploit] http://packetstormsecurity.com/files/124609/cfme_manageiq_evm_pass_reset.rb.txt

[Exploit] http://www.securityfocus.com/bid/64524

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=959062

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/89984

[Third Party Advisory] http://secunia.com/advisories/56181

Scores

EPSS 0.5416

EPSS Percentile 98.0%

Details

CWE

CWE-89

Status published

Products (2)

redhat/cloudforms_management_engine 5.1

redhat/manageiq_enterprise_virtualization_manager < 5.0

Published Jan 11, 2014

Tracked Since Feb 18, 2026