Page 4 of 53 results (0.011 seconds)

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0

foreman-debug before version 1.15.0 is vulnerable to a flaw in foreman-debug's logging. An attacker with access to the foreman log file would be able to view passwords, allowing them to access those systems. foreman-debug, en versiones anteriores a la 1.15.0, es vulnerable a un error en la creación de logs de foreman-debug. Un atacante con acceso al archivo de logs de foreman podría ver contraseñas, lo que les permitiría acceder a esos sistemas. A flaw was found in foreman-debug's logging. An attacker with access to the foreman log file would be able to view passwords, allowing them to access those systems. • http://www.securityfocus.com/bid/94985 https://access.redhat.com/errata/RHSA-2018:0336 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9593 https://access.redhat.com/security/cve/CVE-2016-9593 https://bugzilla.redhat.com/show_bug.cgi?id=1406384 • CWE-255: Credentials Management Errors CWE-522: Insufficiently Protected Credentials •

CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0

An attacker submitting facts to the Foreman server containing HTML can cause a stored XSS on certain pages: (1) Facts page, when clicking on the "chart" button and hovering over the chart; (2) Trends page, when checking the graph for a trend based on a such fact; (3) Statistics page, for facts that are aggregated on this page. Un atacante que envíe hechos que contienen HTML al servidor Foreman puede provocar Cross-Site Scripting (XSS) persistente en ciertas páginas: (1) La página Facts, al hacer clic en el botón "chart" y desplazándose sobre el gráfico; (2) la página Trends, al comprobar el gráfico para una tendencia basada en un hecho; (3) la página Statistics, para los hechos que se agregan en esta página. • http://projects.theforeman.org/issues/21519 https://access.redhat.com/errata/RHSA-2018:2927 https://github.com/theforeman/foreman/pull/4967 https://access.redhat.com/security/cve/CVE-2017-15100 https://bugzilla.redhat.com/show_bug.cgi?id=1508551 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

Multiple cross-site scripting (XSS) vulnerabilities in Foreman before 1.5.2 allow remote authenticated users to inject arbitrary web script or HTML via the operating system (1) name or (2) description. Múltiples vulnerabilidades de Cross-Site Scripting (XSS) en Foreman en versiones anteriores a la 1.5.2 permiten que atacantes remotos autenticados inyecten scripts web o HTML arbitrarios mediante el nombre (1) o la descripción (2) del sistema operativo. • http://projects.theforeman.org/issues/6580 https://bugzilla.redhat.com/show_bug.cgi?id=1108745 https://github.com/theforeman/foreman/pull/1580 https://theforeman.org/security.html#2014-3531 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1

Cross-site scripting (XSS) vulnerability in the search auto-completion functionality in Foreman before 1.4.4 allows remote authenticated users to inject arbitrary web script or HTML via a crafted key name. Vulnerabilidad Cross-Site Scripting (XSS) en la funcionalidad de autocompletar búsquedas en versiones anteriores a la 1.4.4 de Foreman permite que usuarios remotos autenticados inyecten scripts web o HTLM arbitrarios mediante una clave de nombre manipulada. • http://projects.theforeman.org/issues/5471 https://bugzilla.redhat.com/show_bug.cgi?id=1094642 https://theforeman.org/security.html#2014-0208 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.1EPSS: 0%CPEs: 46EXPL: 0

Foreman after 1.1 and before 1.9.0-RC1 does not redirect HTTP requests to HTTPS when the require_ssl setting is set to true, which allows remote attackers to obtain user credentials via a man-in-the-middle attack. Foreman después de versión 1.1 y anterior a versión 1.9.0-RC1, no redirecciona las peticiones HTTP a HTTPS cuando la configuración require_ssl se establece en true, lo que permite a los atacantes remotos obtener las credenciales de usuario por medio de un ataque de tipo Man-In-The-Middle. • http://projects.theforeman.org/issues/11119 https://bugzilla.redhat.com/show_bug.cgi?id=1243571 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •