Fabricio Duarte

**Name of the Vulnerable Software and Affected Versions** CloudStack version 4.20.0.0 **Description** The CloudStack Quota plugin has an improper privilege management logic. Anyone with authenticated user-account access in CloudStack environments where this plugin is enabled can enable or disable reception of quota-related emails for any account and list their configurations. **Recommendations** For CloudStack version 4.20.0.0, upgrade to CloudStack version 4.20.1.0 to fix this issue.

**Name of the Vulnerable Software and Affected Versions** Apache CloudStack versions 4.10.0 through 4.19.1.0 **Description** The issue is caused by an access permission validation problem that allows domain admin accounts to query all registered account-users API and secret keys, including those of the root admin. This can be exploited by an attacker with domain admin access to gain root admin and other-account privileges, resulting in potential compromise of resources integrity and confidentiality, data loss, denial of service, and availability of CloudStack managed infrastructure. **Recommendations** For Apache CloudStack versions 4.10.0 through 4.19.1.0, upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue. Additionally, all account-user API and secret keys should be regenerated.