Theforeman

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2016-2100 1Theforeman 1Foreman May 6, 2026 May 20, 2016 N/A· v4 5.4 MEDIUM· v3 6.5 MEDIUM· v2 Foreman before 1.10.3 and 1.11.0 before 1.11.0-RC2 allow remote authenticated users to read, modify, or delete private bookmarks by leveraging the (1) edit_bookmarks or (2) destroy_bookmarks permission.
CVE-2015-5233 2Redhat Theforeman 2Foreman Satellite May 6, 2026 Apr 11, 2016 N/A· v4 4.2 MEDIUM· v3 6.0 MEDIUM· v2 Foreman before 1.8.4 and 1.9.x before 1.9.1 do not properly apply view_hosts permissions, which allows (1) remote authenticated users with the view_reports permission to read reports from arbitrary hosts or (2) remote au...Show more Foreman before 1.8.4 and 1.9.x before 1.9.1 do not properly apply view_hosts permissions, which allows (1) remote authenticated users with the view_reports permission to read reports from arbitrary hosts or (2) remote authenticated users with the destroy_reports permission to delete reports from arbitrary hosts via direct access to the (a) individual report show/delete pages or (b) APIs.Show less
CVE-2015-7518 1Theforeman 1Foreman May 6, 2026 Dec 17, 2015 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Multiple cross-site scripting (XSS) vulnerabilities in information popups in Foreman before 1.10.0 allow remote attackers to inject arbitrary web script or HTML via (1) global parameters, (2) smart class parameters, or (...Show more Multiple cross-site scripting (XSS) vulnerabilities in information popups in Foreman before 1.10.0 allow remote attackers to inject arbitrary web script or HTML via (1) global parameters, (2) smart class parameters, or (3) smart variables in the (a) host or (b) hostgroup edit forms.Show less
CVE-2015-3235 1Theforeman 1Foreman May 6, 2026 Aug 14, 2015 N/A· v4 N/A· v3 6.0 MEDIUM· v2 Foreman before 1.9.0 allows remote authenticated users with the edit_users permission to edit administrator users and change their passwords via unspecified vectors.
CVE-2015-3155 1Theforeman 1Foreman May 6, 2026 Aug 14, 2015 N/A· v4 N/A· v3 5.0 MEDIUM· v2 Foreman before 1.8.1 does not set the secure flag for the _session_id cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
CVE-2015-1844 1Theforeman 1Foreman May 6, 2026 Aug 14, 2015 N/A· v4 N/A· v3 4.0 MEDIUM· v2 Foreman before 1.7.5 allows remote authenticated users to bypass organization and location restrictions by connecting through the REST API.
CVE-2015-1816 1Theforeman 1Foreman May 6, 2026 Aug 14, 2015 N/A· v4 N/A· v3 5.0 MEDIUM· v2 Forman before 1.7.4 does not verify SSL certificates for LDAP connections, which allows man-in-the-middle attackers to spoof LDAP servers via a crafted certificate.
CVE-2014-3653 1Theforeman 1Foreman May 6, 2026 Jul 6, 2015 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in the template preview function in Foreman before 1.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted provisioning template.
CVE-2014-3691 2Redhat Theforeman 2Foreman Openstack May 6, 2026 Mar 9, 2015 N/A· v4 N/A· v3 7.5 HIGH· v2 Smart Proxy (aka Smart-Proxy and foreman-proxy) in Foreman before 1.5.4 and 1.6.x before 1.6.2 does not validate SSL certificates, which allows remote attackers to bypass intended authentication and execute arbitrary API...Show more Smart Proxy (aka Smart-Proxy and foreman-proxy) in Foreman before 1.5.4 and 1.6.x before 1.6.2 does not validate SSL certificates, which allows remote attackers to bypass intended authentication and execute arbitrary API requests via a request without a certificate.Show less
CVE-2014-3492 1Theforeman 1Foreman May 6, 2026 Jul 1, 2014 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Multiple cross-site scripting (XSS) vulnerabilities in the host YAML view in Foreman before 1.4.5 and 1.5.x before 1.5.1 allow remote attackers to inject arbitrary web script or HTML via a parameter (1) name or (2) value...Show more Multiple cross-site scripting (XSS) vulnerabilities in the host YAML view in Foreman before 1.4.5 and 1.5.x before 1.5.1 allow remote attackers to inject arbitrary web script or HTML via a parameter (1) name or (2) value related to the host.Show less
CVE-2014-3491 1Theforeman 1Foreman May 6, 2026 Jul 1, 2014 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in Foreman before 1.4.5 and 1.5.x before 1.5.1 allows remote attackers to inject arbitrary web script or HTML via the Name field to the New Host groups page, related to create, up...Show more Cross-site scripting (XSS) vulnerability in Foreman before 1.4.5 and 1.5.x before 1.5.1 allows remote attackers to inject arbitrary web script or HTML via the Name field to the New Host groups page, related to create, update, and destroy notification boxes.Show less
CVE-2014-4507 1Theforeman 1Foreman May 6, 2026 Jun 20, 2014 N/A· v4 N/A· v3 6.4 MEDIUM· v2 Directory traversal vulnerability in Smart-Proxy in Foreman before 1.4.5 and 1.5.x before 1.5.1 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in the dst parameter to tftp/fetch_boot_file.
CVE-2014-0007 1Theforeman 1Foreman May 6, 2026 Jun 20, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 The Smart-Proxy in Foreman before 1.4.5 and 1.5.x before 1.5.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the path parameter to tftp/fetch_boot_file.
CVE-2014-0192 1Theforeman 1Foreman May 6, 2026 May 8, 2014 N/A· v4 N/A· v3 5.0 MEDIUM· v2 Foreman 1.4.0 before 1.5.0 does not properly restrict access to provisioning template previews, which allows remote attackers to obtain sensitive information via the hostname parameter, related to "spoof."
CVE-2014-0135 1Theforeman 1Kafo May 6, 2026 May 8, 2014 N/A· v4 N/A· v3 1.9 LOW· v2 Kafo before 0.3.17 and 0.4.x before 0.5.2, as used by Foreman, uses world-readable permissions for default_values.yaml, which allows local users to obtain passwords and other sensitive information by reading the file.
CVE-2014-0090 1Theforeman 1Foreman May 6, 2026 May 8, 2014 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Session fixation vulnerability in Foreman before 1.4.2 allows remote attackers to hijack web sessions via the session id cookie.
CVE-2013-0210 1Theforeman 1Foreman May 6, 2026 May 8, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 The smart proxy Puppet run API in Foreman before 1.2.0 allows remote attackers to execute arbitrary commands via vectors related to escaping and Puppet commands.
CVE-2013-0187 1Theforeman 1Foreman May 6, 2026 May 8, 2014 N/A· v4 N/A· v3 6.5 MEDIUM· v2 Foreman before 1.1 allows remote authenticated users to gain privileges via a (1) XMLHttpRequest or (2) AJAX request.
CVE-2013-0174 1Theforeman 1Foreman May 6, 2026 May 8, 2014 N/A· v4 N/A· v3 5.0 MEDIUM· v2 The external node classifier (ENC) API in Foreman before 1.1 allows remote attackers to obtain the hashed root password via an API request.
CVE-2013-0173 1Theforeman 1Foreman May 6, 2026 May 8, 2014 N/A· v4 N/A· v3 5.0 MEDIUM· v2 Foreman before 1.1 uses a salt of "foreman" to hash root passwords, which makes it easier for attackers to guess the password via a brute force attack.

Previous 1 2 345 Next