Martin Povolny of Red Hat reports: Several routes in the CloudForms app contained actions that can be performed via GET request instead of POST request. This could result in a failure to check the protect_from_forgery token, so these actions may be vulnerable to XSRF.
Accidentally scored without user interaction required, corrected CVSSv2/3 scores.
This issue has been addressed in the following products: CloudForms Management Engine 5.7 Via RHSA-2017:0898 https://access.redhat.com/errata/RHSA-2017:0898