CVE-2020-10778

Name of the Vulnerable Software and Affected Versions Red Hat CloudForms versions 4.7 through 5

Description The issue is related to a business logic flaw in the Red Hat CloudForms platform, specifically concerning the management of virtual environments. This flaw allows an attacker to edit read-only widgets by inspecting the forms, removing the disabled attribute from the fields, and bypassing server-side validation. This exploit violates the expected behavior of the system.

Recommendations For Red Hat CloudForms versions 4.7 through 5, as a temporary workaround, consider disabling the editing functionality of read-only widgets until a patch is available. Restrict access to the forms that allow widget editing to minimize the risk of exploitation. Avoid using the disabled attribute as the sole means of securing widgets, and instead, implement server-side validation to enforce access controls. At the moment, there is no information about a newer version that contains a fix for this vulnerability.