Vulnerabilities > Theforeman > Foreman > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-08-01 | CVE-2014-8183 | Improper Access Control vulnerability in multiple products It was found that foreman, versions 1.x.x before 1.15.6, in Satellite 6 did not properly enforce access controls on certain resources. | 7.4 |
| 2018-04-16 | CVE-2016-9593 | Credentials Management vulnerability in multiple products foreman-debug before version 1.15.0 is vulnerable to a flaw in foreman-debug's logging. | 8.8 |
| 2018-04-04 | CVE-2018-1097 | Information Exposure vulnerability in multiple products A flaw was found in foreman before 1.16.1. | 8.8 |
| 2017-07-17 | CVE-2015-5152 | Information Exposure vulnerability in Theforeman Foreman Foreman after 1.1 and before 1.9.0-RC1 does not redirect HTTP requests to HTTPS when the require_ssl setting is set to true, which allows remote attackers to obtain user credentials via a man-in-the-middle attack. | 8.1 |
| 2016-08-19 | CVE-2016-4475 | 7PK - Security Features vulnerability in Theforeman Foreman The (1) Organization and (2) Locations APIs and UIs in Foreman before 1.11.4 and 1.12.x before 1.12.0-RC3 allow remote authenticated users to bypass organization and location restrictions and (a) read, (b) edit, or (c) delete arbitrary organizations or locations via unspecified vectors. | 8.8 |
| 2016-05-20 | CVE-2016-3728 | Improper Access Control vulnerability in Theforeman Foreman 1.10.3/1.11.0/1.11.1 Eval injection vulnerability in tftp_api.rb in the TFTP module in the Smart-Proxy in Foreman before 1.10.4 and 1.11.x before 1.11.2 allows remote attackers to execute arbitrary code via the PXE template type portion of the PATH_INFO to tftp/. | 8.8 |
| 2014-05-08 | CVE-2013-0210 | Code Injection vulnerability in Theforeman Foreman The smart proxy Puppet run API in Foreman before 1.2.0 allows remote attackers to execute arbitrary commands via vectors related to escaping and Puppet commands. | 7.5 |
| 2014-05-08 | CVE-2013-0171 | Code Injection vulnerability in Theforeman Foreman Foreman before 1.1 allows remote attackers to execute arbitrary code via a crafted YAML object to the (1) fact or (2) report import API. | 7.5 |
| 2014-04-04 | CVE-2012-5648 | SQL Injection vulnerability in Theforeman Foreman Multiple SQL injection vulnerabilities in Foreman before 1.0.2 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) app/models/hostext/search.rb or (2) app/models/puppetclass.rb, related to the search mechanism. | 7.5 |