Filtered by vendor Theforeman
Subscribe
Total
90 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-8613 | 1 Theforeman | 1 Foreman | 2024-11-21 | 4.3 MEDIUM | 6.4 MEDIUM |
| A flaw was found in foreman 1.5.1. The remote execution plugin runs commands on hosts over SSH from the Foreman web UI. When a job is submitted that contains HTML tags, the console output shown in the web UI does not escape the output causing any HTML or JavaScript to run in the user's browser. The output of the job is stored, making this a stored XSS vulnerability. | |||||
| CVE-2016-7078 | 1 Theforeman | 1 Foreman | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| foreman before version 1.15.0 is vulnerable to an information leak through organizations and locations feature. When a user is assigned _no_ organizations/locations, they are able to view all resources instead of none (mirroring an administrator's view). The user's actions are still limited by their assigned permissions, e.g. to control viewing, editing and deletion. | |||||
| CVE-2016-7077 | 1 Theforeman | 1 Foreman | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| foreman before 1.14.0 is vulnerable to an information leak. It was found that Foreman form helper does not authorize options for associated objects. Unauthorized user can see names of such objects if their count is less than 6. | |||||
| CVE-2014-8183 | 2 Redhat, Theforeman | 2 Satellite, Foreman | 2024-11-21 | 6.5 MEDIUM | 7.4 HIGH |
| It was found that foreman, versions 1.x.x before 1.15.6, in Satellite 6 did not properly enforce access controls on certain resources. An attacker with access to the API and knowledge of the resource name can access resources in other organizations. | |||||
| CVE-2014-0241 | 2 Redhat, Theforeman | 2 Satellite, Hammer Cli | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| rubygem-hammer_cli_foreman: File /etc/hammer/cli.modules.d/foreman.yml world readable | |||||
| CVE-2014-0091 | 1 Theforeman | 1 Foreman | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Foreman has improper input validation which could lead to partial Denial of Service | |||||
| CVE-2013-4120 | 1 Theforeman | 1 Katello | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Katello has a Denial of Service vulnerability in API OAuth authentication | |||||
| CVE-2013-2101 | 2 Redhat, Theforeman | 2 Satellite, Katello | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Katello has multiple XSS issues in various entities | |||||
| CVE-2013-0283 | 1 Theforeman | 1 Katello | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Katello: Username in Notification page has cross site scripting | |||||
| CVE-2024-7700 | 2 Redhat, Theforeman | 2 Satellite, Foreman | 2024-09-16 | N/A | 6.5 MEDIUM |
| A command injection flaw was found in the "Host Init Config" template in the Foreman application via the "Install Packages" field on the "Register Host" page. This flaw allows an attacker with the necessary privileges to inject arbitrary commands into the configuration, potentially allowing unauthorized command execution during host registration. Although this issue requires user interaction to execute injected commands, it poses a significant risk if an unsuspecting user runs the generated registration script. | |||||