Martin Povolny of Red Hat reports:
Several routes in the CloudForms app contained actions that can be performed via GET request instead of POST request. This could result in a failure to check the protect_from_forgery token, so these actions may be vulnerable to XSRF.
Accidentally scored without user interaction required, corrected CVSSv2/3 scores.
This issue has been addressed in the following products:
CloudForms Management Engine 5.7
Via RHSA-2017:0898 https://access.redhat.com/errata/RHSA-2017:0898