It was found that attacker having the access to appliance filesystem is able to execute arbitrary code under the same privileges as appliance runs. This issue is present since upstream commit f077196c99feb874e5cba8b93c1f8dfe26421c1b. Upstream patch: https://github.com/ManageIQ/manageiq/pull/7856
Acknowledgments: Name: Simon Lukasik (Red Hat)
This issue was fixed in CloudForms 4.1 in erratum RHBA-2016:1348.