CVE-2014-3531
https://notcve.org/view.php?id=CVE-2014-3531
Multiple cross-site scripting (XSS) vulnerabilities in Foreman before 1.5.2 allow remote authenticated users to inject arbitrary web script or HTML via the operating system (1) name or (2) description. Múltiples vulnerabilidades de Cross-Site Scripting (XSS) en Foreman en versiones anteriores a la 1.5.2 permiten que atacantes remotos autenticados inyecten scripts web o HTML arbitrarios mediante el nombre (1) o la descripción (2) del sistema operativo. • http://projects.theforeman.org/issues/6580 https://bugzilla.redhat.com/show_bug.cgi?id=1108745 https://github.com/theforeman/foreman/pull/1580 https://theforeman.org/security.html#2014-3531 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-0208
https://notcve.org/view.php?id=CVE-2014-0208
Cross-site scripting (XSS) vulnerability in the search auto-completion functionality in Foreman before 1.4.4 allows remote authenticated users to inject arbitrary web script or HTML via a crafted key name. Vulnerabilidad Cross-Site Scripting (XSS) en la funcionalidad de autocompletar búsquedas en versiones anteriores a la 1.4.4 de Foreman permite que usuarios remotos autenticados inyecten scripts web o HTLM arbitrarios mediante una clave de nombre manipulada. • http://projects.theforeman.org/issues/5471 https://bugzilla.redhat.com/show_bug.cgi?id=1094642 https://theforeman.org/security.html#2014-0208 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-4475
https://notcve.org/view.php?id=CVE-2016-4475
The (1) Organization and (2) Locations APIs and UIs in Foreman before 1.11.4 and 1.12.x before 1.12.0-RC3 allow remote authenticated users to bypass organization and location restrictions and (a) read, (b) edit, or (c) delete arbitrary organizations or locations via unspecified vectors. Las APIs y UIs (1) Organization y (2) Locations en Foreman en versiones anteriores a 1.11.4 y 1.12.x en versiones anteriores a 1.12.0-RC3 permiten a usuarios remotos autenticados eludir las restricciones de organización y localización y (a) leer, (b) editar o (c) eliminar organizaciones o localizaciones arbitrarias a través de vectores no especificados. • http://projects.theforeman.org/issues/15268 http://projects.theforeman.org/projects/foreman/repository/revisions/a30ab44ed6f140f1791afc51a1e448afc2ff28f9 http://www.securityfocus.com/bid/92125 https://access.redhat.com/errata/RHBA-2016:1615 https://theforeman.org/security.html#2016-4475 • CWE-254: 7PK - Security Features •
CVE-2016-4451 – foreman: privilege escalation through Organization and Locations API
https://notcve.org/view.php?id=CVE-2016-4451
The (1) Organization and (2) Locations APIs in Foreman before 1.11.3 and 1.12.x before 1.12.0-RC1 allow remote authenticated users with unlimited filters to bypass organization and location restrictions and read or modify data for an arbitrary organization by leveraging knowledge of the id of that organization. Las APIs (1) Organization y (2) Locations en Foreman en versiones anteriores a 1.11.3 y 1.12.x en versiones anteriores a 1.12.0-RC1 permiten a usuarios remotos autenticados con filtros ilimitados eludir restricciones de organización y localización y leer o modificar datos de una organización arbitraria aprovechando el conocimiento de la id de esa organización. It was found that Satellite 6 did not properly enforce access controls on certain resources. An attacker, with access to the API and knowledge of the ID name, can potentially access other resources in other organizations. • http://projects.theforeman.org/issues/15182 http://projects.theforeman.org/projects/foreman/repository/revisions/1144040f444b4bf4aae81940a150b26b23b4623c https://access.redhat.com/errata/RHSA-2018:0336 https://theforeman.org/security.html#2016-4451 https://access.redhat.com/security/cve/CVE-2016-4451 https://bugzilla.redhat.com/show_bug.cgi?id=1339889 • CWE-254: 7PK - Security Features CWE-284: Improper Access Control •
CVE-2016-6320
https://notcve.org/view.php?id=CVE-2016-6320
Cross-site scripting (XSS) vulnerability in app/assets/javascripts/host_edit_interfaces.js in Foreman before 1.12.2 allows remote authenticated users to inject arbitrary web script or HTML via the network interface device identifier in the host interface form. Vulnerabilidad de XSS en app/assets/javascripts/host_edit_interfaces.js en Foreman en versiones anteriores a 1.12.2 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través del identificador de dispositivo de interfaz de red en el formulario de interfaz del anfitrión. • http://projects.theforeman.org/issues/16022 http://www.securityfocus.com/bid/92431 https://access.redhat.com/errata/RHBA-2016:1885 https://bugzilla.redhat.com/show_bug.cgi?id=1365785 https://github.com/theforeman/foreman/pull/3714/commits/850c38451c7bbde75521b796d16aca26e4d240a0 https://theforeman.org/security.html#2016-6320 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •