We have built Darga-5. This release contains security fixes, bug fixes, numerous UI tweaks, and stabilisation.
Here are the Security Fixes:
CVE-2016-5402 - A code injection flaw was found in the way capacity and utilisation imported control files are processed. A remote, authenticated attacker with access to the capacity and utilisation feature could use this flaw to execute arbitrary code as the user CFME runs as. This issue was discovered by Simon Lukasik (Red Hat).
CVE-2016-7071 - It was found that the CloudForms did not properly apply permissions controls to VM IDs passed by users. A remote, authenticated attacker could use this flaw to execute arbitrary VMs on systems managed by CloudForms if they know the ID of the VM.