Martin Povolny of Red Hat reports: Researching the problem I have found one more issue and that would be allowing GET request on destructive actions allowing the Rails protect_from_forgery mechanism to be bypassed.
Acknowledgements: This issue was discovered by Martin Povolný of Red Hat.
This issue has been addressed in following products: CloudForms Management Engine 5.x Via RHSA-2014:0025 https://rhn.redhat.com/errata/RHSA-2014-0025.html