Vulnerabilities > Theforeman > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-04-04 | CVE-2018-1097 | A flaw was found in foreman before 1.16.1. | 8.8 |
| 2018-03-12 | CVE-2017-2667 | Improper Certificate Validation vulnerability in multiple products Hammer CLI, a CLI utility for Foreman, before version 0.10.0, did not explicitly set the verify_ssl flag for apipie-bindings that disable it by default. | 8.1 |
| 2017-10-06 | CVE-2015-5246 | 7PK - Security Features vulnerability in Theforeman Foreman 1.9.0 The LDAP Authentication functionality in Foreman might allow remote attackers with knowledge of old passwords to gain access via vectors involving the password lifetime period in Active Directory. | 8.1 |
| 2017-07-17 | CVE-2015-5152 | Information Exposure vulnerability in Theforeman Foreman Foreman after 1.1 and before 1.9.0-RC1 does not redirect HTTP requests to HTTPS when the require_ssl setting is set to true, which allows remote attackers to obtain user credentials via a man-in-the-middle attack. | 8.1 |
| 2017-05-26 | CVE-2017-7505 | Improper Privilege Management vulnerability in Theforeman Foreman Foreman since version 1.5 is vulnerable to an incorrect authorization check due to which users with user management permission who are assigned to some organization(s) can do all operations granted by these permissions on all administrator user object outside of their scope, such as editing global admin accounts including changing their passwords. | 8.8 |
| 2016-08-19 | CVE-2016-4475 | 7PK - Security Features vulnerability in Theforeman Foreman The (1) Organization and (2) Locations APIs and UIs in Foreman before 1.11.4 and 1.12.x before 1.12.0-RC3 allow remote authenticated users to bypass organization and location restrictions and (a) read, (b) edit, or (c) delete arbitrary organizations or locations via unspecified vectors. | 8.8 |
| 2016-05-20 | CVE-2016-3728 | Improper Access Control vulnerability in Theforeman Foreman 1.10.3/1.11.0/1.11.1 Eval injection vulnerability in tftp_api.rb in the TFTP module in the Smart-Proxy in Foreman before 1.10.4 and 1.11.x before 1.11.2 allows remote attackers to execute arbitrary code via the PXE template type portion of the PATH_INFO to tftp/. | 8.8 |