CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2016-9593 – foreman-debug: missing obfuscation of sensitive information
https://notcve.org/view.php?id=CVE-2016-9593
20 Feb 2018 — foreman-debug before version 1.15.0 is vulnerable to a flaw in foreman-debug's logging. An attacker with access to the foreman log file would be able to view passwords, allowing them to access those systems. foreman-debug, en versiones anteriores a la 1.15.0, es vulnerable a un error en la creación de logs de foreman-debug. Un atacante con acceso al archivo de logs de foreman podría ver contraseñas, lo que les permitiría acceder a esos sistemas. A flaw was found in foreman-debug's logging. An attacker with ... • http://www.securityfocus.com/bid/94985 • CWE-255: Credentials Management Errors CWE-522: Insufficiently Protected Credentials •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2017-15100 – foreman: Stored XSS in fact name or value
https://notcve.org/view.php?id=CVE-2017-15100
27 Nov 2017 — An attacker submitting facts to the Foreman server containing HTML can cause a stored XSS on certain pages: (1) Facts page, when clicking on the "chart" button and hovering over the chart; (2) Trends page, when checking the graph for a trend based on a such fact; (3) Statistics page, for facts that are aggregated on this page. Un atacante que envíe hechos que contienen HTML al servidor Foreman puede provocar Cross-Site Scripting (XSS) persistente en ciertas páginas: (1) La página Facts, al hacer clic en el ... • http://projects.theforeman.org/issues/21519 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2014-3531
https://notcve.org/view.php?id=CVE-2014-3531
18 Oct 2017 — Multiple cross-site scripting (XSS) vulnerabilities in Foreman before 1.5.2 allow remote authenticated users to inject arbitrary web script or HTML via the operating system (1) name or (2) description. Múltiples vulnerabilidades de Cross-Site Scripting (XSS) en Foreman en versiones anteriores a la 1.5.2 permiten que atacantes remotos autenticados inyecten scripts web o HTML arbitrarios mediante el nombre (1) o la descripción (2) del sistema operativo. • http://projects.theforeman.org/issues/6580 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2014-0208
https://notcve.org/view.php?id=CVE-2014-0208
16 Oct 2017 — Cross-site scripting (XSS) vulnerability in the search auto-completion functionality in Foreman before 1.4.4 allows remote authenticated users to inject arbitrary web script or HTML via a crafted key name. Vulnerabilidad Cross-Site Scripting (XSS) en la funcionalidad de autocompletar búsquedas en versiones anteriores a la 1.4.4 de Foreman permite que usuarios remotos autenticados inyecten scripts web o HTLM arbitrarios mediante una clave de nombre manipulada. • http://projects.theforeman.org/issues/5471 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2015-5246
https://notcve.org/view.php?id=CVE-2015-5246
06 Oct 2017 — The LDAP Authentication functionality in Foreman might allow remote attackers with knowledge of old passwords to gain access via vectors involving the password lifetime period in Active Directory. La funcionalidad de autenticación LDAP en Foreman podría permitir que atacantes remotos que conozcan las contraseñas anteriores obtengan acceso mediante vectores relacionados con el periodo de vida activa de contraseñas en Active Directory. • http://projects.theforeman.org/issues/11471 • CWE-254: 7PK - Security Features •
CVSS: 6.1EPSS: 0%CPEs: 45EXPL: 0CVE-2015-5282
https://notcve.org/view.php?id=CVE-2015-5282
25 Sep 2017 — Cross-site scripting (XSS) vulnerability in Foreman 1.7.0 and after. Existe una vulnerabilidad de tipo Cross-Site Scripting (XSS) en Foreman 1.7.0 y posteriores. • http://projects.theforeman.org/issues/11859 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 46EXPL: 0CVE-2015-5152
https://notcve.org/view.php?id=CVE-2015-5152
14 Jul 2017 — Foreman after 1.1 and before 1.9.0-RC1 does not redirect HTTP requests to HTTPS when the require_ssl setting is set to true, which allows remote attackers to obtain user credentials via a man-in-the-middle attack. Foreman después de versión 1.1 y anterior a versión 1.9.0-RC1, no redirecciona las peticiones HTTP a HTTPS cuando la configuración require_ssl se establece en true, lo que permite a los atacantes remotos obtener las credenciales de usuario por medio de un ataque de tipo Man-In-The-Middle. • http://projects.theforeman.org/issues/11119 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 75EXPL: 0CVE-2017-7505
https://notcve.org/view.php?id=CVE-2017-7505
26 May 2017 — Foreman since version 1.5 is vulnerable to an incorrect authorization check due to which users with user management permission who are assigned to some organization(s) can do all operations granted by these permissions on all administrator user object outside of their scope, such as editing global admin accounts including changing their passwords. Foreman desde la versión 1.5, es vulnerable a una comprobación de autorización incorrecta debido a que los usuarios con permiso de administración de usuario que e... • http://projects.theforeman.org/issues/19612 • CWE-269: Improper Privilege Management CWE-863: Incorrect Authorization •
CVSS: 6.3EPSS: 0%CPEs: 2EXPL: 0CVE-2016-4451 – foreman: privilege escalation through Organization and Locations API
https://notcve.org/view.php?id=CVE-2016-4451
19 Aug 2016 — The (1) Organization and (2) Locations APIs in Foreman before 1.11.3 and 1.12.x before 1.12.0-RC1 allow remote authenticated users with unlimited filters to bypass organization and location restrictions and read or modify data for an arbitrary organization by leveraging knowledge of the id of that organization. Las APIs (1) Organization y (2) Locations en Foreman en versiones anteriores a 1.11.3 y 1.12.x en versiones anteriores a 1.12.0-RC1 permiten a usuarios remotos autenticados con filtros ilimitados elu... • http://projects.theforeman.org/issues/15182 • CWE-254: 7PK - Security Features CWE-284: Improper Access Control •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2016-4475
https://notcve.org/view.php?id=CVE-2016-4475
19 Aug 2016 — The (1) Organization and (2) Locations APIs and UIs in Foreman before 1.11.4 and 1.12.x before 1.12.0-RC3 allow remote authenticated users to bypass organization and location restrictions and (a) read, (b) edit, or (c) delete arbitrary organizations or locations via unspecified vectors. Las APIs y UIs (1) Organization y (2) Locations en Foreman en versiones anteriores a 1.11.4 y 1.12.x en versiones anteriores a 1.12.0-RC3 permiten a usuarios remotos autenticados eludir las restricciones de organización y lo... • http://projects.theforeman.org/issues/15268 • CWE-254: 7PK - Security Features •