Vulnerabilities > Theforeman > Foreman
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2016-05-20 | CVE-2016-3728 | Improper Access Control vulnerability in Theforeman Foreman 1.10.3/1.11.0/1.11.1 Eval injection vulnerability in tftp_api.rb in the TFTP module in the Smart-Proxy in Foreman before 1.10.4 and 1.11.x before 1.11.2 allows remote attackers to execute arbitrary code via the PXE template type portion of the PATH_INFO to tftp/. | 8.8 |
| 2016-05-20 | CVE-2016-2100 | Improper Access Control vulnerability in Theforeman Foreman Foreman before 1.10.3 and 1.11.0 before 1.11.0-RC2 allow remote authenticated users to read, modify, or delete private bookmarks by leveraging the (1) edit_bookmarks or (2) destroy_bookmarks permission. | 5.4 |
| 2016-04-11 | CVE-2015-5233 | Permissions, Privileges, and Access Controls vulnerability in multiple products Foreman before 1.8.4 and 1.9.x before 1.9.1 do not properly apply view_hosts permissions, which allows (1) remote authenticated users with the view_reports permission to read reports from arbitrary hosts or (2) remote authenticated users with the destroy_reports permission to delete reports from arbitrary hosts via direct access to the (a) individual report show/delete pages or (b) APIs. | 4.2 |