Description
In Red Hat CloudForms 4.7 and 5, the read only widgets can be edited by inspecting the forms and dropping the disabled attribute from the fields since there is no server-side validation. This business logic flaw violate the expected behavior.
References (2)
Core 2
Core References
Issue Tracking, Vendor Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1847628
Vendor Advisory x_refsource_misc
https://access.redhat.com/security/cve/cve-2020-10778
Scores
CVSS v3
6.0
EPSS
0.0088
EPSS Percentile
54.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
Details
CWE
CWE-669
Status
published
Products (2)
redhat/cloudforms
4.7
redhat/cloudforms
5.0.0
Published
Aug 11, 2020
Tracked Since
Feb 18, 2026