CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2013-0210
https://notcve.org/view.php?id=CVE-2013-0210
The smart proxy Puppet run API in Foreman before 1.2.0 allows remote attackers to execute arbitrary commands via vectors related to escaping and Puppet commands. La API de ejecución de Smart Proxy Puppet en Foreman anterior a 1.2.0 permite a atacantes remotos ejecutar comandos arbitrarios a través de vectores relacionados con escaparse y comandos Puppet. • http://theforeman.org/security.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.8EPSS: 0%CPEs: 10EXPL: 0CVE-2014-0090
https://notcve.org/view.php?id=CVE-2014-0090
Session fixation vulnerability in Foreman before 1.4.2 allows remote attackers to hijack web sessions via the session id cookie. Vulnerabilidad de fijación de sesión en Foreman anterior a 1.4.2 permite a atacantes remotos secuestrar sesiones web a través de la cookie session id. • http://projects.theforeman.org/issues/4457 http://theforeman.org/security.html https://bugzilla.redhat.com/show_bug.cgi?id=1072151 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2012-5648
https://notcve.org/view.php?id=CVE-2012-5648
Multiple SQL injection vulnerabilities in Foreman before 1.0.2 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) app/models/hostext/search.rb or (2) app/models/puppetclass.rb, related to the search mechanism. Múltiples vulnerabilidades de inyección SQL en Foreman anterior a 1.0.2 permiten a atacantes remotos ejecutar comandos SQL arbitrarios a través de parámetros no especificados hacia (1) app/models/hostext/search.rb o (2) app/models/puppetclass.rb, relacionado con el mecanismo de búsqueda. • http://osvdb.org/show/osvdb/88618 http://osvdb.org/show/osvdb/88623 http://seclists.org/oss-sec/2012/q4/499 http://secunia.com/advisories/51557 https://exchange.xforce.ibmcloud.com/vulnerabilities/80793 https://github.com/theforeman/foreman/commit/387b764b614170f23b3552aca498612e341652db • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 1CVE-2014-0089
https://notcve.org/view.php?id=CVE-2014-0089
Cross-site scripting (XSS) vulnerability in app/views/common/500.html.erb in Foreman 1.4.x before 1.4.2 allows remote authenticated users to inject arbitrary web script or HTML via the bookmark name when adding a bookmark. Vulnerabilidad de XSS en app/views/common/500.html.erb en Foreman 1.4.x anterior a 1.4.2 permite a usuarios remotos autenticados inyectar script Web o HTML arbitrarios a través del nombre de favoritos cuando se añade un favorito. • http://projects.theforeman.org/issues/4456 http://secunia.com/advisories/57575 http://theforeman.org/security.html https://bugzilla.redhat.com/show_bug.cgi?id=1071741 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2013-4386 – Foreman: host and host group parameter SQL injection
https://notcve.org/view.php?id=CVE-2013-4386
Multiple SQL injection vulnerabilities in app/models/concerns/host_common.rb in Foreman before 1.2.3 allow remote attackers to execute arbitrary SQL commands via the (1) fqdn or (2) hostgroup parameter. Múltiples vulnerabilidades de inyección SQL en app/models/concerns/host_common.rb de Foreman anterior a la versión 1.2.3 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de (1) fqdn o (2) parámetro hostgroup. • http://projects.theforeman.org/issues/3160 http://rhn.redhat.com/errata/RHSA-2013-1522.html https://groups.google.com/forum/#%21topic/foreman-announce/GKMNXM66Z84 https://access.redhat.com/security/cve/CVE-2013-4386 https://bugzilla.redhat.com/show_bug.cgi?id=1013076 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •