CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2014-3531
https://notcve.org/view.php?id=CVE-2014-3531
Multiple cross-site scripting (XSS) vulnerabilities in Foreman before 1.5.2 allow remote authenticated users to inject arbitrary web script or HTML via the operating system (1) name or (2) description. Múltiples vulnerabilidades de Cross-Site Scripting (XSS) en Foreman en versiones anteriores a la 1.5.2 permiten que atacantes remotos autenticados inyecten scripts web o HTML arbitrarios mediante el nombre (1) o la descripción (2) del sistema operativo. • http://projects.theforeman.org/issues/6580 https://bugzilla.redhat.com/show_bug.cgi?id=1108745 https://github.com/theforeman/foreman/pull/1580 https://theforeman.org/security.html#2014-3531 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2014-0208
https://notcve.org/view.php?id=CVE-2014-0208
Cross-site scripting (XSS) vulnerability in the search auto-completion functionality in Foreman before 1.4.4 allows remote authenticated users to inject arbitrary web script or HTML via a crafted key name. Vulnerabilidad Cross-Site Scripting (XSS) en la funcionalidad de autocompletar búsquedas en versiones anteriores a la 1.4.4 de Foreman permite que usuarios remotos autenticados inyecten scripts web o HTLM arbitrarios mediante una clave de nombre manipulada. • http://projects.theforeman.org/issues/5471 https://bugzilla.redhat.com/show_bug.cgi?id=1094642 https://theforeman.org/security.html#2014-0208 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6320
https://notcve.org/view.php?id=CVE-2016-6320
Cross-site scripting (XSS) vulnerability in app/assets/javascripts/host_edit_interfaces.js in Foreman before 1.12.2 allows remote authenticated users to inject arbitrary web script or HTML via the network interface device identifier in the host interface form. Vulnerabilidad de XSS en app/assets/javascripts/host_edit_interfaces.js en Foreman en versiones anteriores a 1.12.2 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través del identificador de dispositivo de interfaz de red en el formulario de interfaz del anfitrión. • http://projects.theforeman.org/issues/16022 http://www.securityfocus.com/bid/92431 https://access.redhat.com/errata/RHBA-2016:1885 https://bugzilla.redhat.com/show_bug.cgi?id=1365785 https://github.com/theforeman/foreman/pull/3714/commits/850c38451c7bbde75521b796d16aca26e4d240a0 https://theforeman.org/security.html#2016-6320 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2016-4475
https://notcve.org/view.php?id=CVE-2016-4475
The (1) Organization and (2) Locations APIs and UIs in Foreman before 1.11.4 and 1.12.x before 1.12.0-RC3 allow remote authenticated users to bypass organization and location restrictions and (a) read, (b) edit, or (c) delete arbitrary organizations or locations via unspecified vectors. Las APIs y UIs (1) Organization y (2) Locations en Foreman en versiones anteriores a 1.11.4 y 1.12.x en versiones anteriores a 1.12.0-RC3 permiten a usuarios remotos autenticados eludir las restricciones de organización y localización y (a) leer, (b) editar o (c) eliminar organizaciones o localizaciones arbitrarias a través de vectores no especificados. • http://projects.theforeman.org/issues/15268 http://projects.theforeman.org/projects/foreman/repository/revisions/a30ab44ed6f140f1791afc51a1e448afc2ff28f9 http://www.securityfocus.com/bid/92125 https://access.redhat.com/errata/RHBA-2016:1615 https://theforeman.org/security.html#2016-4475 • CWE-254: 7PK - Security Features •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 0CVE-2016-6319 – foreman: Persistent XSS in Foreman remote execution plugin
https://notcve.org/view.php?id=CVE-2016-6319
Cross-site scripting (XSS) vulnerability in app/helpers/form_helper.rb in Foreman before 1.12.2, as used by Remote Execution and possibly other plugins, allows remote attackers to inject arbitrary web script or HTML via the label parameter. Vulnerabilidad de XSS en app/helpers/form_helper.rb en Foreman en versiones anteriores a 1.12.2, como se utiliza en Remote Execution y posiblemente otros plugins, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro de etiqueta. It was found that foreman is vulnerable to a stored XSS via a job template with a malformed name. This could allow an attacker with privileges to set the name in a template to display arbitrary HTML including scripting code within the web interface. • http://projects.theforeman.org/issues/16019 http://projects.theforeman.org/issues/16024 http://www.securityfocus.com/bid/92429 https://access.redhat.com/errata/RHSA-2018:0336 https://bugzilla.redhat.com/show_bug.cgi?id=1365815 https://github.com/theforeman/foreman/commit/0f35fe14acf0d0d3b55e9337bc5e2b9640ff2372 https://theforeman.org/security.html#2016-6319 https://access.redhat.com/security/cve/CVE-2016-6319 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •