Page 5 of 53 results (0.004 seconds)

CVSS: 8.8EPSS: 0%CPEs: 75EXPL: 0

Foreman since version 1.5 is vulnerable to an incorrect authorization check due to which users with user management permission who are assigned to some organization(s) can do all operations granted by these permissions on all administrator user object outside of their scope, such as editing global admin accounts including changing their passwords. Foreman desde la versión 1.5, es vulnerable a una comprobación de autorización incorrecta debido a que los usuarios con permiso de administración de usuario que están asignados a alguna organización(es) pueden realizar todas las operaciones otorgadas por estos permisos sobre todos los objetos del usuario administrador fuera de su alcance, tal como la edición de cuentas de administrador global incluyendo el cambio de sus contraseñas. • http://projects.theforeman.org/issues/19612 http://www.securityfocus.com/bid/98607 https://github.com/theforeman/foreman/pull/4545 • CWE-269: Improper Privilege Management CWE-863: Incorrect Authorization •

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0

The (1) Organization and (2) Locations APIs and UIs in Foreman before 1.11.4 and 1.12.x before 1.12.0-RC3 allow remote authenticated users to bypass organization and location restrictions and (a) read, (b) edit, or (c) delete arbitrary organizations or locations via unspecified vectors. Las APIs y UIs (1) Organization y (2) Locations en Foreman en versiones anteriores a 1.11.4 y 1.12.x en versiones anteriores a 1.12.0-RC3 permiten a usuarios remotos autenticados eludir las restricciones de organización y localización y (a) leer, (b) editar o (c) eliminar organizaciones o localizaciones arbitrarias a través de vectores no especificados. • http://projects.theforeman.org/issues/15268 http://projects.theforeman.org/projects/foreman/repository/revisions/a30ab44ed6f140f1791afc51a1e448afc2ff28f9 http://www.securityfocus.com/bid/92125 https://access.redhat.com/errata/RHBA-2016:1615 https://theforeman.org/security.html#2016-4475 • CWE-254: 7PK - Security Features •

CVSS: 6.3EPSS: 0%CPEs: 2EXPL: 0

The (1) Organization and (2) Locations APIs in Foreman before 1.11.3 and 1.12.x before 1.12.0-RC1 allow remote authenticated users with unlimited filters to bypass organization and location restrictions and read or modify data for an arbitrary organization by leveraging knowledge of the id of that organization. Las APIs (1) Organization y (2) Locations en Foreman en versiones anteriores a 1.11.3 y 1.12.x en versiones anteriores a 1.12.0-RC1 permiten a usuarios remotos autenticados con filtros ilimitados eludir restricciones de organización y localización y leer o modificar datos de una organización arbitraria aprovechando el conocimiento de la id de esa organización. It was found that Satellite 6 did not properly enforce access controls on certain resources. An attacker, with access to the API and knowledge of the ID name, can potentially access other resources in other organizations. • http://projects.theforeman.org/issues/15182 http://projects.theforeman.org/projects/foreman/repository/revisions/1144040f444b4bf4aae81940a150b26b23b4623c https://access.redhat.com/errata/RHSA-2018:0336 https://theforeman.org/security.html#2016-4451 https://access.redhat.com/security/cve/CVE-2016-4451 https://bugzilla.redhat.com/show_bug.cgi?id=1339889 • CWE-254: 7PK - Security Features CWE-284: Improper Access Control •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

Cross-site scripting (XSS) vulnerability in app/assets/javascripts/host_edit_interfaces.js in Foreman before 1.12.2 allows remote authenticated users to inject arbitrary web script or HTML via the network interface device identifier in the host interface form. Vulnerabilidad de XSS en app/assets/javascripts/host_edit_interfaces.js en Foreman en versiones anteriores a 1.12.2 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través del identificador de dispositivo de interfaz de red en el formulario de interfaz del anfitrión. • http://projects.theforeman.org/issues/16022 http://www.securityfocus.com/bid/92431 https://access.redhat.com/errata/RHBA-2016:1885 https://bugzilla.redhat.com/show_bug.cgi?id=1365785 https://github.com/theforeman/foreman/pull/3714/commits/850c38451c7bbde75521b796d16aca26e4d240a0 https://theforeman.org/security.html#2016-6320 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 0

Cross-site scripting (XSS) vulnerability in app/helpers/form_helper.rb in Foreman before 1.12.2, as used by Remote Execution and possibly other plugins, allows remote attackers to inject arbitrary web script or HTML via the label parameter. Vulnerabilidad de XSS en app/helpers/form_helper.rb en Foreman en versiones anteriores a 1.12.2, como se utiliza en Remote Execution y posiblemente otros plugins, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro de etiqueta. It was found that foreman is vulnerable to a stored XSS via a job template with a malformed name. This could allow an attacker with privileges to set the name in a template to display arbitrary HTML including scripting code within the web interface. • http://projects.theforeman.org/issues/16019 http://projects.theforeman.org/issues/16024 http://www.securityfocus.com/bid/92429 https://access.redhat.com/errata/RHSA-2018:0336 https://bugzilla.redhat.com/show_bug.cgi?id=1365815 https://github.com/theforeman/foreman/commit/0f35fe14acf0d0d3b55e9337bc5e2b9640ff2372 https://theforeman.org/security.html#2016-6319 https://access.redhat.com/security/cve/CVE-2016-6319 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •