← Back

Cobbler

cobbler

Vendor: Cobblerd • 5 CVEs

CVEs (5)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2011-4954
1Cobblerd
1Cobbler
Nov 21, 2024
Nov 19, 2019
N/A· v4
7.8 HIGH· v3
7.2 HIGH· v2
cobbler has local privilege escalation via the use of insecure location for PYTHON_EGG_CACHE
CVE-2011-4952
1Cobblerd
1Cobbler
Nov 21, 2024
Nov 19, 2019
N/A· v4
8.8 HIGH· v3
6.8 MEDIUM· v2
cobbler: Web interface lacks CSRF protection when using Django framework
CVE-2018-1000226
1Cobblerd
1Cobbler
Nov 21, 2024
Aug 20, 2018
N/A· v4
9.8 CRITICAL· v3
7.5 HIGH· v2
Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Incorrect Access Control vulnerability in XMLRPC...Show more
Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Incorrect Access Control vulnerability in XMLRPC API (/cobbler_api) that can result in Privilege escalation, data manipulation or exfiltration, LDAP credential harvesting. This attack appear to be exploitable via "network connectivity". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931.Show less
CVE-2018-1000225
1Cobblerd
1Cobbler
Nov 21, 2024
Aug 20, 2018
N/A· v4
6.1 MEDIUM· v3
4.3 MEDIUM· v2
Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Cross Site Scripting (XSS) vulnerability in cobbl...Show more
Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Cross Site Scripting (XSS) vulnerability in cobbler-web that can result in Privilege escalation to admin.. This attack appear to be exploitable via "network connectivity". Sending unauthenticated JavaScript payload to the Cobbler XMLRPC API (/cobbler_api).Show less
CVE-2014-3225
1Cobblerd
1Cobbler
May 6, 2026
May 14, 2014
N/A· v4
N/A· v3
4.0 MEDIUM· v2
Absolute path traversal vulnerability in the web interface in Cobbler 2.4.x through 2.6.x allows remote authenticated users to read arbitrary files via the Kickstart field in a profile.