Filtered by vendor Theforeman
Subscribe
Total
90 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-6319 | 1 Theforeman | 1 Foreman | 2025-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in app/helpers/form_helper.rb in Foreman before 1.12.2, as used by Remote Execution and possibly other plugins, allows remote attackers to inject arbitrary web script or HTML via the label parameter. | |||||
| CVE-2016-2100 | 1 Theforeman | 1 Foreman | 2025-04-12 | 6.5 MEDIUM | 5.4 MEDIUM |
| Foreman before 1.10.3 and 1.11.0 before 1.11.0-RC2 allow remote authenticated users to read, modify, or delete private bookmarks by leveraging the (1) edit_bookmarks or (2) destroy_bookmarks permission. | |||||
| CVE-2012-5648 | 1 Theforeman | 1 Foreman | 2025-04-12 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in Foreman before 1.0.2 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) app/models/hostext/search.rb or (2) app/models/puppetclass.rb, related to the search mechanism. | |||||
| CVE-2013-0210 | 1 Theforeman | 1 Foreman | 2025-04-12 | 7.5 HIGH | N/A |
| The smart proxy Puppet run API in Foreman before 1.2.0 allows remote attackers to execute arbitrary commands via vectors related to escaping and Puppet commands. | |||||
| CVE-2014-3691 | 2 Redhat, Theforeman | 2 Openstack, Foreman | 2025-04-12 | 7.5 HIGH | N/A |
| Smart Proxy (aka Smart-Proxy and foreman-proxy) in Foreman before 1.5.4 and 1.6.x before 1.6.2 does not validate SSL certificates, which allows remote attackers to bypass intended authentication and execute arbitrary API requests via a request without a certificate. | |||||
| CVE-2015-5233 | 2 Redhat, Theforeman | 2 Satellite, Foreman | 2025-04-12 | 6.0 MEDIUM | 4.2 MEDIUM |
| Foreman before 1.8.4 and 1.9.x before 1.9.1 do not properly apply view_hosts permissions, which allows (1) remote authenticated users with the view_reports permission to read reports from arbitrary hosts or (2) remote authenticated users with the destroy_reports permission to delete reports from arbitrary hosts via direct access to the (a) individual report show/delete pages or (b) APIs. | |||||
| CVE-2015-3155 | 1 Theforeman | 1 Foreman | 2025-04-12 | 5.0 MEDIUM | N/A |
| Foreman before 1.8.1 does not set the secure flag for the _session_id cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. | |||||
| CVE-2014-3491 | 1 Theforeman | 1 Foreman | 2025-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Foreman before 1.4.5 and 1.5.x before 1.5.1 allows remote attackers to inject arbitrary web script or HTML via the Name field to the New Host groups page, related to create, update, and destroy notification boxes. | |||||
| CVE-2016-4995 | 1 Theforeman | 1 Foreman | 2025-04-12 | 3.5 LOW | 5.3 MEDIUM |
| Foreman before 1.11.4 and 1.12.x before 1.12.1 does not properly restrict access to preview provisioning templates, which allows remote authenticated users with permission to view some hosts to obtain sensitive host configuration information via a URL with a hostname. | |||||
| CVE-2015-1816 | 1 Theforeman | 1 Foreman | 2025-04-12 | 5.0 MEDIUM | N/A |
| Forman before 1.7.4 does not verify SSL certificates for LDAP connections, which allows man-in-the-middle attackers to spoof LDAP servers via a crafted certificate. | |||||
| CVE-2016-4475 | 1 Theforeman | 1 Foreman | 2025-04-12 | 6.5 MEDIUM | 8.8 HIGH |
| The (1) Organization and (2) Locations APIs and UIs in Foreman before 1.11.4 and 1.12.x before 1.12.0-RC3 allow remote authenticated users to bypass organization and location restrictions and (a) read, (b) edit, or (c) delete arbitrary organizations or locations via unspecified vectors. | |||||
| CVE-2014-0089 | 1 Theforeman | 1 Foreman | 2025-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in app/views/common/500.html.erb in Foreman 1.4.x before 1.4.2 allows remote authenticated users to inject arbitrary web script or HTML via the bookmark name when adding a bookmark. | |||||
| CVE-2015-7518 | 1 Theforeman | 1 Foreman | 2025-04-12 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in information popups in Foreman before 1.10.0 allow remote attackers to inject arbitrary web script or HTML via (1) global parameters, (2) smart class parameters, or (3) smart variables in the (a) host or (b) hostgroup edit forms. | |||||
| CVE-2014-0007 | 1 Theforeman | 1 Foreman | 2025-04-12 | 7.5 HIGH | N/A |
| The Smart-Proxy in Foreman before 1.4.5 and 1.5.x before 1.5.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the path parameter to tftp/fetch_boot_file. | |||||
| CVE-2014-0090 | 1 Theforeman | 1 Foreman | 2025-04-12 | 6.8 MEDIUM | N/A |
| Session fixation vulnerability in Foreman before 1.4.2 allows remote attackers to hijack web sessions via the session id cookie. | |||||
| CVE-2013-0174 | 1 Theforeman | 1 Foreman | 2025-04-12 | 5.0 MEDIUM | N/A |
| The external node classifier (ENC) API in Foreman before 1.1 allows remote attackers to obtain the hashed root password via an API request. | |||||
| CVE-2013-2143 | 2 Redhat, Theforeman | 2 Network Satellite, Katello | 2025-04-12 | 6.5 MEDIUM | N/A |
| The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account. | |||||
| CVE-2013-0173 | 1 Theforeman | 1 Foreman | 2025-04-12 | 5.0 MEDIUM | N/A |
| Foreman before 1.1 uses a salt of "foreman" to hash root passwords, which makes it easier for attackers to guess the password via a brute force attack. | |||||
| CVE-2014-3492 | 1 Theforeman | 1 Foreman | 2025-04-12 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the host YAML view in Foreman before 1.4.5 and 1.5.x before 1.5.1 allow remote attackers to inject arbitrary web script or HTML via a parameter (1) name or (2) value related to the host. | |||||
| CVE-2013-2121 | 2 Redhat, Theforeman | 2 Openstack, Foreman | 2025-04-11 | 6.0 MEDIUM | N/A |
| Eval injection vulnerability in the create method in the Bookmarks controller in Foreman before 1.2.0-RC2 allows remote authenticated users with permissions to create bookmarks to execute arbitrary code via a controller name attribute. | |||||