CVE-2014-0007 – Foreman Smart-Proxy - Remote Command Injection
https://notcve.org/view.php?id=CVE-2014-0007
The Smart-Proxy in Foreman before 1.4.5 and 1.5.x before 1.5.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the path parameter to tftp/fetch_boot_file. Smart-Proxy en Foreman anterior a 1.4.5 y 1.5.x anterior a 1.5.1 permite a atacantes remotos ejecutar comandos arbitrarios a través de metacaracteres de shell en el parámetro path en tftp/fetch_boot_file. • https://www.exploit-db.com/exploits/39222 http://projects.theforeman.org/issues/6086 http://rhn.redhat.com/errata/RHSA-2014-0770.html https://access.redhat.com/security/cve/CVE-2014-0007 https://bugzilla.redhat.com/show_bug.cgi?id=1105369 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2014-0090
https://notcve.org/view.php?id=CVE-2014-0090
Session fixation vulnerability in Foreman before 1.4.2 allows remote attackers to hijack web sessions via the session id cookie. Vulnerabilidad de fijación de sesión en Foreman anterior a 1.4.2 permite a atacantes remotos secuestrar sesiones web a través de la cookie session id. • http://projects.theforeman.org/issues/4457 http://theforeman.org/security.html https://bugzilla.redhat.com/show_bug.cgi?id=1072151 • CWE-287: Improper Authentication •