CVSS: 6.1EPSS: 0%CPEs: 45EXPL: 0CVE-2015-5282
https://notcve.org/view.php?id=CVE-2015-5282
Cross-site scripting (XSS) vulnerability in Foreman 1.7.0 and after. Existe una vulnerabilidad de tipo Cross-Site Scripting (XSS) en Foreman 1.7.0 y posteriores. • http://projects.theforeman.org/issues/11859 http://www.openwall.com/lists/oss-security/2015/09/21/3 https://bugzilla.redhat.com/show_bug.cgi?id=1264221 https://github.com/theforeman/foreman/commit/4f3555b217be8723e8045f9816d147b5f684ec57 https://theforeman.org/security.html#2015-5282 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 75EXPL: 0CVE-2017-7505
https://notcve.org/view.php?id=CVE-2017-7505
Foreman since version 1.5 is vulnerable to an incorrect authorization check due to which users with user management permission who are assigned to some organization(s) can do all operations granted by these permissions on all administrator user object outside of their scope, such as editing global admin accounts including changing their passwords. Foreman desde la versión 1.5, es vulnerable a una comprobación de autorización incorrecta debido a que los usuarios con permiso de administración de usuario que están asignados a alguna organización(es) pueden realizar todas las operaciones otorgadas por estos permisos sobre todos los objetos del usuario administrador fuera de su alcance, tal como la edición de cuentas de administrador global incluyendo el cambio de sus contraseñas. • http://projects.theforeman.org/issues/19612 http://www.securityfocus.com/bid/98607 https://github.com/theforeman/foreman/pull/4545 • CWE-269: Improper Privilege Management CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2016-4475
https://notcve.org/view.php?id=CVE-2016-4475
The (1) Organization and (2) Locations APIs and UIs in Foreman before 1.11.4 and 1.12.x before 1.12.0-RC3 allow remote authenticated users to bypass organization and location restrictions and (a) read, (b) edit, or (c) delete arbitrary organizations or locations via unspecified vectors. Las APIs y UIs (1) Organization y (2) Locations en Foreman en versiones anteriores a 1.11.4 y 1.12.x en versiones anteriores a 1.12.0-RC3 permiten a usuarios remotos autenticados eludir las restricciones de organización y localización y (a) leer, (b) editar o (c) eliminar organizaciones o localizaciones arbitrarias a través de vectores no especificados. • http://projects.theforeman.org/issues/15268 http://projects.theforeman.org/projects/foreman/repository/revisions/a30ab44ed6f140f1791afc51a1e448afc2ff28f9 http://www.securityfocus.com/bid/92125 https://access.redhat.com/errata/RHBA-2016:1615 https://theforeman.org/security.html#2016-4475 • CWE-254: 7PK - Security Features •
CVSS: 6.3EPSS: 0%CPEs: 2EXPL: 0CVE-2016-4451 – foreman: privilege escalation through Organization and Locations API
https://notcve.org/view.php?id=CVE-2016-4451
The (1) Organization and (2) Locations APIs in Foreman before 1.11.3 and 1.12.x before 1.12.0-RC1 allow remote authenticated users with unlimited filters to bypass organization and location restrictions and read or modify data for an arbitrary organization by leveraging knowledge of the id of that organization. Las APIs (1) Organization y (2) Locations en Foreman en versiones anteriores a 1.11.3 y 1.12.x en versiones anteriores a 1.12.0-RC1 permiten a usuarios remotos autenticados con filtros ilimitados eludir restricciones de organización y localización y leer o modificar datos de una organización arbitraria aprovechando el conocimiento de la id de esa organización. It was found that Satellite 6 did not properly enforce access controls on certain resources. An attacker, with access to the API and knowledge of the ID name, can potentially access other resources in other organizations. • http://projects.theforeman.org/issues/15182 http://projects.theforeman.org/projects/foreman/repository/revisions/1144040f444b4bf4aae81940a150b26b23b4623c https://access.redhat.com/errata/RHSA-2018:0336 https://theforeman.org/security.html#2016-4451 https://access.redhat.com/security/cve/CVE-2016-4451 https://bugzilla.redhat.com/show_bug.cgi?id=1339889 • CWE-254: 7PK - Security Features CWE-284: Improper Access Control •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6320
https://notcve.org/view.php?id=CVE-2016-6320
Cross-site scripting (XSS) vulnerability in app/assets/javascripts/host_edit_interfaces.js in Foreman before 1.12.2 allows remote authenticated users to inject arbitrary web script or HTML via the network interface device identifier in the host interface form. Vulnerabilidad de XSS en app/assets/javascripts/host_edit_interfaces.js en Foreman en versiones anteriores a 1.12.2 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través del identificador de dispositivo de interfaz de red en el formulario de interfaz del anfitrión. • http://projects.theforeman.org/issues/16022 http://www.securityfocus.com/bid/92431 https://access.redhat.com/errata/RHBA-2016:1885 https://bugzilla.redhat.com/show_bug.cgi?id=1365785 https://github.com/theforeman/foreman/pull/3714/commits/850c38451c7bbde75521b796d16aca26e4d240a0 https://theforeman.org/security.html#2016-6320 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •