Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Foreman
(Theforeman)| Repositories |
• https://github.com/theforeman/foreman
• https://github.com/theforeman/smart-proxy |
| #Vulnerabilities | 69 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2013-09-16 | CVE-2013-4180 | The (1) power and (2) ipmi_boot actions in the HostController in Foreman before 1.2.2 allow remote attackers to cause a denial of service (memory consumption) via unspecified input that is converted to a symbol. | Openstack, Foreman | N/A | ||
| 2013-09-16 | CVE-2013-4182 | app/controllers/api/v1/hosts_controller.rb in Foreman before 1.2.2 does not properly restrict access to hosts, which allows remote attackers to access arbitrary hosts via an API request. | Openstack, Foreman | N/A | ||
| 2013-11-20 | CVE-2013-4386 | Multiple SQL injection vulnerabilities in app/models/concerns/host_common.rb in Foreman before 1.2.3 allow remote attackers to execute arbitrary SQL commands via the (1) fqdn or (2) hostgroup parameter. | Openstack, Foreman | N/A | ||
| 2014-03-27 | CVE-2014-0089 | Cross-site scripting (XSS) vulnerability in app/views/common/500.html.erb in Foreman 1.4.x before 1.4.2 allows remote authenticated users to inject arbitrary web script or HTML via the bookmark name when adding a bookmark. | Foreman | N/A | ||
| 2014-05-08 | CVE-2014-0090 | Session fixation vulnerability in Foreman before 1.4.2 allows remote attackers to hijack web sessions via the session id cookie. | Foreman | N/A | ||
| 2014-05-08 | CVE-2014-0192 | Foreman 1.4.0 before 1.5.0 does not properly restrict access to provisioning template previews, which allows remote attackers to obtain sensitive information via the hostname parameter, related to "spoof." | Foreman | N/A | ||
| 2014-06-20 | CVE-2014-0007 | The Smart-Proxy in Foreman before 1.4.5 and 1.5.x before 1.5.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the path parameter to tftp/fetch_boot_file. | Foreman | N/A | ||
| 2015-03-09 | CVE-2014-3691 | Smart Proxy (aka Smart-Proxy and foreman-proxy) in Foreman before 1.5.4 and 1.6.x before 1.6.2 does not validate SSL certificates, which allows remote attackers to bypass intended authentication and execute arbitrary API requests via a request without a certificate. | Openstack, Foreman | N/A | ||
| 2015-08-14 | CVE-2015-3155 | Foreman before 1.8.1 does not set the secure flag for the _session_id cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. | Foreman | N/A | ||
| 2015-08-14 | CVE-2015-3235 | Foreman before 1.9.0 allows remote authenticated users with the edit_users permission to edit administrator users and change their passwords via unspecified vectors. | Foreman | N/A |