CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2014-0141
https://notcve.org/view.php?id=CVE-2014-0141
Cross-site scripting (XSS) vulnerability in Red Hat Satellite 6.0.3. Existe una vulnerabilidad de tipo Cross-Site Scripting (XSS) en Red Hat Satellite 6.0.3. • https://bugzilla.redhat.com/show_bug.cgi?id=1187466 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2016-4996 – foreman: inside discovery-debug, the root password is displayed in plaintext
https://notcve.org/view.php?id=CVE-2016-4996
discovery-debug in Foreman before 6.2 when the ssh service has been enabled on discovered nodes displays the root password in plaintext in the system journal when used to log in, which allows local users with access to the system journal to obtain the root password by reading the system journal, or by clicking Logs on the console. Se ha descubierto una vulnerabilidad en el descovery-debug en Foreman versión anterior a 6.2 cuando el servicio ssh se ha habilitado en los nodos descubiertos muestra la contraseña de tipo root en texto plano del sistema cuando se usa para iniciar sesión, lo que permite a los usuarios locales con acceso al System Journal puedan obtener la contraseña de tipo root leyendo El System Journal, o haciendo clic en Registros en la consola. A flaw was found in discovery-debug in foreman. An attacker, with permissions to view the debug results, would be able to view the root password associated with that system, potentially allowing them to access it. • https://access.redhat.com/errata/RHSA-2018:0336 https://bugzilla.redhat.com/show_bug.cgi?id=1349136 https://access.redhat.com/security/cve/CVE-2016-4996 • CWE-255: Credentials Management Errors CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2014-8180
https://notcve.org/view.php?id=CVE-2014-8180
MongoDB on Red Hat Satellite 6 allows local users to bypass authentication by logging in with an empty password and delete information which can cause a Denial of Service. MongoDB sobre Red Hat Satellite 6 permite a usuarios locales evitar la autenticación iniciando sesión con una contraseña vacía y borrar información que podría causar una denegación de servicio. • https://access.redhat.com/documentation/en-us/red_hat_satellite/6.2/html/installation_guide/preparing_your_environment_for_installation#restricting_access_to_mongod https://bugzilla.redhat.com/show_bug.cgi?id=1301703 • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 1%CPEs: 3EXPL: 0CVE-2017-5929 – logback: Serialization vulnerability in SocketServer and ServerSocketReceiver
https://notcve.org/view.php?id=CVE-2017-5929
QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. QOS.ch Logback en versiones anteriores a 1.2.0 tiene una vulnerabilidad de serialización que afecta a los componentes SocketServer y ServerSocketReceiver. It was found that logback is vulnerable to a deserialization issue. Logback can be configured to allow remote logging through SocketServer/ServerSocketReceiver interfaces that can accept untrusted serialized data. Authenticated attackers on the adjacent network can leverage this vulnerability to execute arbitrary code through deserialization of custom gadget chains. • https://access.redhat.com/errata/RHSA-2017:1675 https://access.redhat.com/errata/RHSA-2017:1676 https://access.redhat.com/errata/RHSA-2017:1832 https://access.redhat.com/errata/RHSA-2018:2927 https://lists.apache.org/thread.html/18d509024d9aeb07f0e9579066f80bf5d4dcf20467b0c240043890d1%40%3Ccommits.cassandra.apache.org%3E https://lists.apache.org/thread.html/a6db61616180d73711d6db25703085940026e2dbc40f153f9d22b203%40%3Ccommits.cassandra.apache.org%3E https://lists.apache.org/thread.html/fa4eaaa6ff41ac6f79811e053c152ee89b7c5da8a6ac848ae97df67f%40%3 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2016-3072 – Katello: Authenticated sql injection via sort_by and sort_order request parameter
https://notcve.org/view.php?id=CVE-2016-3072
Multiple SQL injection vulnerabilities in the scoped_search function in app/controllers/katello/api/v2/api_controller.rb in Katello allow remote authenticated users to execute arbitrary SQL commands via the (1) sort_by or (2) sort_order parameter. Múltiples vulnerabilidades de inyección SQL en la función scoped_search en app/controllers/katello/api/v2/api_controller.rb en Katello permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través de parámetro (1) sort_by o (2) sort_order. An input sanitization flaw was found in the scoped search parameters sort_by and sort_order in the REST API. An authenticated user could use this flaw to perform an SQL injection attack on the Katello back end database. • https://access.redhat.com/errata/RHSA-2016:1083 https://bugzilla.redhat.com/show_bug.cgi?id=1322050 https://github.com/Katello/katello/pull/6051 https://access.redhat.com/security/cve/CVE-2016-3072 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •