Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Foreman
(Theforeman)| Repositories |
• https://github.com/theforeman/foreman
• https://github.com/theforeman/smart-proxy |
| #Vulnerabilities | 69 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2016-08-19 | CVE-2016-6319 | Cross-site scripting (XSS) vulnerability in app/helpers/form_helper.rb in Foreman before 1.12.2, as used by Remote Execution and possibly other plugins, allows remote attackers to inject arbitrary web script or HTML via the label parameter. | Foreman | 6.1 | ||
| 2016-08-19 | CVE-2016-6320 | Cross-site scripting (XSS) vulnerability in app/assets/javascripts/host_edit_interfaces.js in Foreman before 1.12.2 allows remote authenticated users to inject arbitrary web script or HTML via the network interface device identifier in the host interface form. | Foreman | 5.4 | ||
| 2017-07-17 | CVE-2015-5152 | Foreman after 1.1 and before 1.9.0-RC1 does not redirect HTTP requests to HTTPS when the require_ssl setting is set to true, which allows remote attackers to obtain user credentials via a man-in-the-middle attack. | Foreman | 8.1 | ||
| 2017-10-16 | CVE-2014-0208 | Cross-site scripting (XSS) vulnerability in the search auto-completion functionality in Foreman before 1.4.4 allows remote authenticated users to inject arbitrary web script or HTML via a crafted key name. | Foreman | 5.4 | ||
| 2017-10-18 | CVE-2014-3531 | Multiple cross-site scripting (XSS) vulnerabilities in Foreman before 1.5.2 allow remote authenticated users to inject arbitrary web script or HTML via the operating system (1) name or (2) description. | Foreman | 5.4 | ||
| 2018-04-04 | CVE-2018-1097 | A flaw was found in foreman before 1.16.1. The issue allows users with limited permissions for powering oVirt/RHV hosts on and off to discover the username and password used to connect to the compute resource. | Satellite, Foreman | 8.8 | ||
| 2018-07-31 | CVE-2016-8613 | A flaw was found in foreman 1.5.1. The remote execution plugin runs commands on hosts over SSH from the Foreman web UI. When a job is submitted that contains HTML tags, the console output shown in the web UI does not escape the output causing any HTML or JavaScript to run in the user's browser. The output of the job is stored, making this a stored XSS vulnerability. | Foreman | 6.1 | ||
| 2018-08-01 | CVE-2016-8634 | A vulnerability was found in foreman 1.14.0. When creating an organization or location in Foreman, if the name contains HTML then the second step of the wizard (/organizations/id/step2) will render the HTML. This occurs in the alertbox on the page. The result is a stored XSS attack if an organization/location with HTML in the name is created, then a user is linked directly to this URL. | Foreman | 5.4 | ||
| 2018-09-21 | CVE-2018-14643 | An authentication bypass flaw was found in the smart_proxy_dynflow component used by Foreman. A malicious attacker can use this flaw to remotely execute arbitrary commands on machines managed by vulnerable Foreman instances, in a highly privileged context. | Foreman | 9.8 | ||
| 2019-12-11 | CVE-2014-0091 | Foreman has improper input validation which could lead to partial Denial of Service | Foreman | 5.3 |