CVE-2014-0090
https://notcve.org/view.php?id=CVE-2014-0090
Session fixation vulnerability in Foreman before 1.4.2 allows remote attackers to hijack web sessions via the session id cookie. Vulnerabilidad de fijación de sesión en Foreman anterior a 1.4.2 permite a atacantes remotos secuestrar sesiones web a través de la cookie session id. • http://projects.theforeman.org/issues/4457 http://theforeman.org/security.html https://bugzilla.redhat.com/show_bug.cgi?id=1072151 • CWE-287: Improper Authentication •
CVE-2012-5648
https://notcve.org/view.php?id=CVE-2012-5648
Multiple SQL injection vulnerabilities in Foreman before 1.0.2 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) app/models/hostext/search.rb or (2) app/models/puppetclass.rb, related to the search mechanism. Múltiples vulnerabilidades de inyección SQL en Foreman anterior a 1.0.2 permiten a atacantes remotos ejecutar comandos SQL arbitrarios a través de parámetros no especificados hacia (1) app/models/hostext/search.rb o (2) app/models/puppetclass.rb, relacionado con el mecanismo de búsqueda. • http://osvdb.org/show/osvdb/88618 http://osvdb.org/show/osvdb/88623 http://seclists.org/oss-sec/2012/q4/499 http://secunia.com/advisories/51557 https://exchange.xforce.ibmcloud.com/vulnerabilities/80793 https://github.com/theforeman/foreman/commit/387b764b614170f23b3552aca498612e341652db • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2013-4386 – Foreman: host and host group parameter SQL injection
https://notcve.org/view.php?id=CVE-2013-4386
Multiple SQL injection vulnerabilities in app/models/concerns/host_common.rb in Foreman before 1.2.3 allow remote attackers to execute arbitrary SQL commands via the (1) fqdn or (2) hostgroup parameter. Múltiples vulnerabilidades de inyección SQL en app/models/concerns/host_common.rb de Foreman anterior a la versión 1.2.3 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de (1) fqdn o (2) parámetro hostgroup. • http://projects.theforeman.org/issues/3160 http://rhn.redhat.com/errata/RHSA-2013-1522.html https://groups.google.com/forum/#%21topic/foreman-announce/GKMNXM66Z84 https://access.redhat.com/security/cve/CVE-2013-4386 https://bugzilla.redhat.com/show_bug.cgi?id=1013076 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2013-4180 – Foreman: hosts_controller.rb power/ipmi_boot Symbol creation DoS
https://notcve.org/view.php?id=CVE-2013-4180
The (1) power and (2) ipmi_boot actions in the HostController in Foreman before 1.2.2 allow remote attackers to cause a denial of service (memory consumption) via unspecified input that is converted to a symbol. Las acciones (1) power y (2) ipmi_boot en el HostController de Foreman anterior 1.2.2 permite a atacante remoto causar denegacion de servicio (consumo de memoria) a través de una entrda sin especificar que es convertida a un simbolo • http://projects.theforeman.org/issues/2860 http://rhn.redhat.com/errata/RHSA-2013-1196.html http://theforeman.org/manuals/1.2/index.html#Releasenotesfor1.2.2 https://access.redhat.com/security/cve/CVE-2013-4180 https://bugzilla.redhat.com/show_bug.cgi?id=989755 • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption •
CVE-2013-4182 – foreman: app/controllers/api/v1/hosts_controller.rb API privilege escalation
https://notcve.org/view.php?id=CVE-2013-4182
app/controllers/api/v1/hosts_controller.rb in Foreman before 1.2.2 does not properly restrict access to hosts, which allows remote attackers to access arbitrary hosts via an API request. app/controllers/api/v1/hosts_controller.rb en Foreman anteriores a v1.2.2 no restringe correctamente el acceso a hosts arbitrarios a través de una petición API. • http://projects.theforeman.org/issues/2863 http://rhn.redhat.com/errata/RHSA-2013-1196.html http://theforeman.org/manuals/1.2/index.html#Releasenotesfor1.2.2 https://bugzilla.redhat.com/show_bug.cgi?id=990374 https://access.redhat.com/security/cve/CVE-2013-4182 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •