Theforeman

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2017-7535 1Theforeman 1Foreman Nov 21, 2024 Jul 26, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 foreman before version 1.16.0 is vulnerable to a stored XSS in organizations/locations assignment to hosts. Exploiting this requires a user to actively assign hosts to an organization that contains html in its name which...Show more foreman before version 1.16.0 is vulnerable to a stored XSS in organizations/locations assignment to hosts. Exploiting this requires a user to actively assign hosts to an organization that contains html in its name which is visible to the user prior to taking action.Show less
CVE-2017-2672 2Redhat Theforeman 2Foreman Satellite Nov 21, 2024 Jun 21, 2018 N/A· v4 8.8 HIGH· v3 4.0 MEDIUM· v2 A flaw was found in foreman before version 1.15 in the logging of adding and registering images. An attacker with access to the foreman log file would be able to view passwords for provisioned systems in the log file, al...Show more A flaw was found in foreman before version 1.15 in the logging of adding and registering images. An attacker with access to the foreman log file would be able to view passwords for provisioned systems in the log file, allowing them to access those systems.Show less
CVE-2016-9593 2Redhat Theforeman 2Foreman Satellite Nov 21, 2024 Apr 16, 2018 N/A· v4 8.8 HIGH· v3 4.0 MEDIUM· v2 foreman-debug before version 1.15.0 is vulnerable to a flaw in foreman-debug's logging. An attacker with access to the foreman log file would be able to view passwords, allowing them to access those systems.
CVE-2018-1096 2Redhat Theforeman 2Foreman Satellite Nov 21, 2024 Apr 5, 2018 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 An input sanitization flaw was found in the id field in the dashboard controller of Foreman before 1.16.1. A user could use this flaw to perform an SQL injection attack on the back end database.
CVE-2018-1097 2Redhat Theforeman 2Foreman Satellite Nov 21, 2024 Apr 4, 2018 N/A· v4 8.8 HIGH· v3 4.0 MEDIUM· v2 A flaw was found in foreman before 1.16.1. The issue allows users with limited permissions for powering oVirt/RHV hosts on and off to discover the username and password used to connect to the compute resource.
CVE-2017-2667 2Redhat Theforeman 3Hammer Cli SatelliteSatellite Capsule Nov 21, 2024 Mar 12, 2018 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 Hammer CLI, a CLI utility for Foreman, before version 0.10.0, did not explicitly set the verify_ssl flag for apipie-bindings that disable it by default. As a result the server certificates are not checked and connections...Show more Hammer CLI, a CLI utility for Foreman, before version 0.10.0, did not explicitly set the verify_ssl flag for apipie-bindings that disable it by default. As a result the server certificates are not checked and connections are prone to man-in-the-middle attacks.Show less
CVE-2017-15100 2Redhat Theforeman 3Foreman SatelliteSatellite Capsule May 13, 2026 Nov 27, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 An attacker submitting facts to the Foreman server containing HTML can cause a stored XSS on certain pages: (1) Facts page, when clicking on the "chart" button and hovering over the chart; (2) Trends page, when checking...Show more An attacker submitting facts to the Foreman server containing HTML can cause a stored XSS on certain pages: (1) Facts page, when clicking on the "chart" button and hovering over the chart; (2) Trends page, when checking the graph for a trend based on a such fact; (3) Statistics page, for facts that are aggregated on this page.Show less
CVE-2014-3531 1Theforeman 1Foreman May 13, 2026 Oct 18, 2017 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Multiple cross-site scripting (XSS) vulnerabilities in Foreman before 1.5.2 allow remote authenticated users to inject arbitrary web script or HTML via the operating system (1) name or (2) description.
CVE-2014-0208 1Theforeman 1Foreman May 13, 2026 Oct 16, 2017 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Cross-site scripting (XSS) vulnerability in the search auto-completion functionality in Foreman before 1.4.4 allows remote authenticated users to inject arbitrary web script or HTML via a crafted key name.
CVE-2015-5246 1Theforeman 1Foreman May 13, 2026 Oct 6, 2017 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 The LDAP Authentication functionality in Foreman might allow remote attackers with knowledge of old passwords to gain access via vectors involving the password lifetime period in Active Directory.
CVE-2015-5282 1Theforeman 1Foreman May 13, 2026 Sep 25, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in Foreman 1.7.0 and after.
CVE-2015-5152 1Theforeman 1Foreman May 13, 2026 Jul 17, 2017 N/A· v4 8.1 HIGH· v3 4.3 MEDIUM· v2 Foreman after 1.1 and before 1.9.0-RC1 does not redirect HTTP requests to HTTPS when the require_ssl setting is set to true, which allows remote attackers to obtain user credentials via a man-in-the-middle attack.
CVE-2017-7505 1Theforeman 1Foreman May 13, 2026 May 26, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Foreman since version 1.5 is vulnerable to an incorrect authorization check due to which users with user management permission who are assigned to some organization(s) can do all operations granted by these permissions o...Show more Foreman since version 1.5 is vulnerable to an incorrect authorization check due to which users with user management permission who are assigned to some organization(s) can do all operations granted by these permissions on all administrator user object outside of their scope, such as editing global admin accounts including changing their passwords.Show less
CVE-2016-6320 1Theforeman 1Foreman May 6, 2026 Aug 19, 2016 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Cross-site scripting (XSS) vulnerability in app/assets/javascripts/host_edit_interfaces.js in Foreman before 1.12.2 allows remote authenticated users to inject arbitrary web script or HTML via the network interface devic...Show more Cross-site scripting (XSS) vulnerability in app/assets/javascripts/host_edit_interfaces.js in Foreman before 1.12.2 allows remote authenticated users to inject arbitrary web script or HTML via the network interface device identifier in the host interface form.Show less
CVE-2016-6319 1Theforeman 1Foreman May 6, 2026 Aug 19, 2016 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in app/helpers/form_helper.rb in Foreman before 1.12.2, as used by Remote Execution and possibly other plugins, allows remote attackers to inject arbitrary web script or HTML via...Show more Cross-site scripting (XSS) vulnerability in app/helpers/form_helper.rb in Foreman before 1.12.2, as used by Remote Execution and possibly other plugins, allows remote attackers to inject arbitrary web script or HTML via the label parameter.Show less
CVE-2016-5390 1Theforeman 1Foreman May 6, 2026 Aug 19, 2016 N/A· v4 5.3 MEDIUM· v3 3.5 LOW· v2 Foreman before 1.11.4 and 1.12.x before 1.12.1 allow remote authenticated users with the view_hosts permission containing a filter to obtain sensitive network interface information via a request to API routes beneath "ho...Show more Foreman before 1.11.4 and 1.12.x before 1.12.1 allow remote authenticated users with the view_hosts permission containing a filter to obtain sensitive network interface information via a request to API routes beneath "hosts," as demonstrated by a GET request to api/v2/hosts/secrethost/interfaces.Show less
CVE-2016-4995 1Theforeman 1Foreman May 6, 2026 Aug 19, 2016 N/A· v4 5.3 MEDIUM· v3 3.5 LOW· v2 Foreman before 1.11.4 and 1.12.x before 1.12.1 does not properly restrict access to preview provisioning templates, which allows remote authenticated users with permission to view some hosts to obtain sensitive host conf...Show more Foreman before 1.11.4 and 1.12.x before 1.12.1 does not properly restrict access to preview provisioning templates, which allows remote authenticated users with permission to view some hosts to obtain sensitive host configuration information via a URL with a hostname.Show less
CVE-2016-4475 1Theforeman 1Foreman May 6, 2026 Aug 19, 2016 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The (1) Organization and (2) Locations APIs and UIs in Foreman before 1.11.4 and 1.12.x before 1.12.0-RC3 allow remote authenticated users to bypass organization and location restrictions and (a) read, (b) edit, or (c) d...Show more The (1) Organization and (2) Locations APIs and UIs in Foreman before 1.11.4 and 1.12.x before 1.12.0-RC3 allow remote authenticated users to bypass organization and location restrictions and (a) read, (b) edit, or (c) delete arbitrary organizations or locations via unspecified vectors.Show less
CVE-2016-4451 1Theforeman 1Foreman May 6, 2026 Aug 19, 2016 N/A· v4 5.0 MEDIUM· v3 6.0 MEDIUM· v2 The (1) Organization and (2) Locations APIs in Foreman before 1.11.3 and 1.12.x before 1.12.0-RC1 allow remote authenticated users with unlimited filters to bypass organization and location restrictions and read or modif...Show more The (1) Organization and (2) Locations APIs in Foreman before 1.11.3 and 1.12.x before 1.12.0-RC1 allow remote authenticated users with unlimited filters to bypass organization and location restrictions and read or modify data for an arbitrary organization by leveraging knowledge of the id of that organization.Show less
CVE-2016-3728 1Theforeman 1Foreman May 6, 2026 May 20, 2016 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Eval injection vulnerability in tftp_api.rb in the TFTP module in the Smart-Proxy in Foreman before 1.10.4 and 1.11.x before 1.11.2 allows remote attackers to execute arbitrary code via the PXE template type portion of t...Show more Eval injection vulnerability in tftp_api.rb in the TFTP module in the Smart-Proxy in Foreman before 1.10.4 and 1.11.x before 1.11.2 allows remote attackers to execute arbitrary code via the PXE template type portion of the PATH_INFO to tftp/.Show less

Previous 1 234 5 Next