It was found that the CloudForms did not properly apply permissions controls to VM IDs passed by users. A remote, authenticated attacker could use this flaw to execute arbitrary VMs on systems managed by CloudForms if they know the ID of the VM.
Felix Dewaleyne reported in https://bugzilla.redhat.com/show_bug.cgi?id=1382756:
Description of problem:
requests made from the web_ui can allow a user not having any permission on a vm to run any action on it
Version-Release number of selected component (if applicable):
This issue has been addressed in the following products:
CloudForms Management Engine 5.6
Via RHSA-2016:2091 https://rhn.redhat.com/errata/RHSA-2016-2091.html