CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2013-0210
https://notcve.org/view.php?id=CVE-2013-0210
The smart proxy Puppet run API in Foreman before 1.2.0 allows remote attackers to execute arbitrary commands via vectors related to escaping and Puppet commands. La API de ejecución de Smart Proxy Puppet en Foreman anterior a 1.2.0 permite a atacantes remotos ejecutar comandos arbitrarios a través de vectores relacionados con escaparse y comandos Puppet. • http://theforeman.org/security.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.8EPSS: 0%CPEs: 10EXPL: 0CVE-2014-0090
https://notcve.org/view.php?id=CVE-2014-0090
Session fixation vulnerability in Foreman before 1.4.2 allows remote attackers to hijack web sessions via the session id cookie. Vulnerabilidad de fijación de sesión en Foreman anterior a 1.4.2 permite a atacantes remotos secuestrar sesiones web a través de la cookie session id. • http://projects.theforeman.org/issues/4457 http://theforeman.org/security.html https://bugzilla.redhat.com/show_bug.cgi?id=1072151 • CWE-287: Improper Authentication •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2013-0187
https://notcve.org/view.php?id=CVE-2013-0187
Foreman before 1.1 allows remote authenticated users to gain privileges via a (1) XMLHttpRequest or (2) AJAX request. Foreman anterior a 1.1 permite a usuarios remotos autenticados ganar privilegios a través de una solicitud (1) XMLHttpRequest o (2) AJAX. • http://theforeman.org/security.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2012-5648
https://notcve.org/view.php?id=CVE-2012-5648
Multiple SQL injection vulnerabilities in Foreman before 1.0.2 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) app/models/hostext/search.rb or (2) app/models/puppetclass.rb, related to the search mechanism. Múltiples vulnerabilidades de inyección SQL en Foreman anterior a 1.0.2 permiten a atacantes remotos ejecutar comandos SQL arbitrarios a través de parámetros no especificados hacia (1) app/models/hostext/search.rb o (2) app/models/puppetclass.rb, relacionado con el mecanismo de búsqueda. • http://osvdb.org/show/osvdb/88618 http://osvdb.org/show/osvdb/88623 http://seclists.org/oss-sec/2012/q4/499 http://secunia.com/advisories/51557 https://exchange.xforce.ibmcloud.com/vulnerabilities/80793 https://github.com/theforeman/foreman/commit/387b764b614170f23b3552aca498612e341652db • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 1CVE-2014-0089
https://notcve.org/view.php?id=CVE-2014-0089
Cross-site scripting (XSS) vulnerability in app/views/common/500.html.erb in Foreman 1.4.x before 1.4.2 allows remote authenticated users to inject arbitrary web script or HTML via the bookmark name when adding a bookmark. Vulnerabilidad de XSS en app/views/common/500.html.erb en Foreman 1.4.x anterior a 1.4.2 permite a usuarios remotos autenticados inyectar script Web o HTML arbitrarios a través del nombre de favoritos cuando se añade un favorito. • http://projects.theforeman.org/issues/4456 http://secunia.com/advisories/57575 http://theforeman.org/security.html https://bugzilla.redhat.com/show_bug.cgi?id=1071741 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •