cfme is vulnerable to SQL injection. The vulnerability exists by sending a request through the REST API, to an SQL filter.
rhn.redhat.com/errata/RHSA-2015-0028.html
secunia.com/advisories/62255
access.redhat.com/documentation/en-US/CloudForms/3.1/html/Management_Engine_5.3_Technical_Notes/index.html
access.redhat.com/errata/RHSA-2015:0028
access.redhat.com/security/cve/CVE-2014-7814
access.redhat.com/security/updates/classification/#important
bugzilla.redhat.com/show_bug.cgi?id=1145304
bugzilla.redhat.com/show_bug.cgi?id=1157881
bugzilla.redhat.com/show_bug.cgi?id=1161265
bugzilla.redhat.com/show_bug.cgi?id=1161761
bugzilla.redhat.com/show_bug.cgi?id=1162725
bugzilla.redhat.com/show_bug.cgi?id=1163384
bugzilla.redhat.com/show_bug.cgi?id=1163875
bugzilla.redhat.com/show_bug.cgi?id=1164034
bugzilla.redhat.com/show_bug.cgi?id=1164035
bugzilla.redhat.com/show_bug.cgi?id=1164036
bugzilla.redhat.com/show_bug.cgi?id=1165305
bugzilla.redhat.com/show_bug.cgi?id=1166214
bugzilla.redhat.com/show_bug.cgi?id=1166215
bugzilla.redhat.com/show_bug.cgi?id=1166286
bugzilla.redhat.com/show_bug.cgi?id=1166290
bugzilla.redhat.com/show_bug.cgi?id=1168336
bugzilla.redhat.com/show_bug.cgi?id=1168384
bugzilla.redhat.com/show_bug.cgi?id=1168564
bugzilla.redhat.com/show_bug.cgi?id=1170320
bugzilla.redhat.com/show_bug.cgi?id=1170682
bugzilla.redhat.com/show_bug.cgi?id=1170794
bugzilla.redhat.com/show_bug.cgi?id=1171343
bugzilla.redhat.com/show_bug.cgi?id=1171346
bugzilla.redhat.com/show_bug.cgi?id=1171821
bugzilla.redhat.com/show_bug.cgi?id=1171899
bugzilla.redhat.com/show_bug.cgi?id=1172491
bugzilla.redhat.com/show_bug.cgi?id=1179957
bugzilla.redhat.com/show_bug.cgi?id=1179959
rhn.redhat.com/errata/RHSA-2015-0028.html