Vulnerabilities > Theforeman > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-07-26 | CVE-2017-7535 | Cross-site Scripting vulnerability in Theforeman Foreman foreman before version 1.16.0 is vulnerable to a stored XSS in organizations/locations assignment to hosts. | 4.3 |
| 2018-06-21 | CVE-2017-2672 | Improper Privilege Management vulnerability in multiple products A flaw was found in foreman before version 1.15 in the logging of adding and registering images. | 4.0 |
| 2018-04-05 | CVE-2018-1096 | SQL Injection vulnerability in multiple products An input sanitization flaw was found in the id field in the dashboard controller of Foreman before 1.16.1. | 4.0 |
| 2017-11-27 | CVE-2017-15100 | Cross-site Scripting vulnerability in multiple products An attacker submitting facts to the Foreman server containing HTML can cause a stored XSS on certain pages: (1) Facts page, when clicking on the "chart" button and hovering over the chart; (2) Trends page, when checking the graph for a trend based on a such fact; (3) Statistics page, for facts that are aggregated on this page. | 6.1 |
| 2017-10-18 | CVE-2014-3531 | Cross-site Scripting vulnerability in Theforeman Foreman Multiple cross-site scripting (XSS) vulnerabilities in Foreman before 1.5.2 allow remote authenticated users to inject arbitrary web script or HTML via the operating system (1) name or (2) description. | 5.4 |
| 2017-10-16 | CVE-2014-0208 | Cross-site Scripting vulnerability in Theforeman Foreman Cross-site scripting (XSS) vulnerability in the search auto-completion functionality in Foreman before 1.4.4 allows remote authenticated users to inject arbitrary web script or HTML via a crafted key name. | 5.4 |
| 2017-10-06 | CVE-2015-5246 | 7PK - Security Features vulnerability in Theforeman Foreman 1.9.0 The LDAP Authentication functionality in Foreman might allow remote attackers with knowledge of old passwords to gain access via vectors involving the password lifetime period in Active Directory. | 6.8 |
| 2017-09-25 | CVE-2015-5282 | Cross-site Scripting vulnerability in Theforeman Foreman Cross-site scripting (XSS) vulnerability in Foreman 1.7.0 and after. | 4.3 |
| 2017-05-26 | CVE-2017-7505 | Improper Privilege Management vulnerability in Theforeman Foreman Foreman since version 1.5 is vulnerable to an incorrect authorization check due to which users with user management permission who are assigned to some organization(s) can do all operations granted by these permissions on all administrator user object outside of their scope, such as editing global admin accounts including changing their passwords. | 6.5 |
| 2016-08-19 | CVE-2016-6320 | Cross-site Scripting vulnerability in Theforeman Foreman Cross-site scripting (XSS) vulnerability in app/assets/javascripts/host_edit_interfaces.js in Foreman before 1.12.2 allows remote authenticated users to inject arbitrary web script or HTML via the network interface device identifier in the host interface form. | 5.4 |