CVE-2013-2121 – Foreman (RedHat OpenStack/Satellite) - bookmarks/create Code Injection

https://notcve.org/view.php?id=CVE-2013-2121

Eval injection vulnerability in the create method in the Bookmarks controller in Foreman before 1.2.0-RC2 allows remote authenticated users with permissions to create bookmarks to execute arbitrary code via a controller name attribute. Vulnerabilidad de inyección Eval en el método "create" en el controlador Bookmarks en Foreman anterior a 1.2.0-RC2, permite a usuarios autenticados remotamente con permisos para crear favoritos, la ejecución arbitraria de código a través de un atributo de nombre de controlador. • https://www.exploit-db.com/exploits/27045 http://projects.theforeman.org/issues/2631 http://rhn.redhat.com/errata/RHSA-2013-0995.html http://www.exploit-db.com/exploits/27045 https://bugzilla.redhat.com/show_bug.cgi?id=966804 https://groups.google.com/forum/#%21topic/foreman-users/6WpO_3ugiXU https://access.redhat.com/security/cve/CVE-2013-2121 https://bugzilla.redhat.com/show_bug.cgi?id=968166 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •