CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 0CVE-2023-0118 – Foreman: arbitrary code execution through templates
https://notcve.org/view.php?id=CVE-2023-0118
An arbitrary code execution flaw was found in Foreman. This flaw allows an admin user to bypass safe mode in templates and execute arbitrary code on the underlying operating system. Se encontró una falla en la ejecución de código arbitrario en Foreman. Esta falla permite a un usuario administrador omitir el modo seguro en las plantillas y ejecutar código arbitrario en el sistema operativo subyacente. • https://access.redhat.com/errata/RHSA-2023:4466 https://access.redhat.com/errata/RHSA-2023:5979 https://access.redhat.com/errata/RHSA-2023:5980 https://access.redhat.com/errata/RHSA-2023:6818 https://access.redhat.com/security/cve/CVE-2023-0118 https://bugzilla.redhat.com/show_bug.cgi?id=2159291 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-0119 – Foreman: stored cross-site scripting in host tab
https://notcve.org/view.php?id=CVE-2023-0119
A stored Cross-site scripting vulnerability was found in foreman. The Comment section in the Hosts tab has incorrect filtering of user input data. As a result of the attack, an attacker with an existing account on the system can steal another user's session, make requests on behalf of the user, and obtain user credentials. Se encontró una vulnerabilidad de Cross-Site Scripting almacenada en foreman. La sección Comment en la pestaña Hosts tiene un filtrado incorrecto de los datos de entrada del usuario. • https://access.redhat.com/errata/RHSA-2023:3387 https://access.redhat.com/errata/RHSA-2023:6818 https://access.redhat.com/security/cve/CVE-2023-0119 https://bugzilla.redhat.com/show_bug.cgi?id=2159104 https://projects.theforeman.org/issues/35977 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •