Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2013-2121 — Code Injection in Foreman

CWE-94 — Code Injection CWE-95 — Eval Injection6 documents6 sources

Severity

6.0MEDIUMNVD

EPSS

60.9%

top 1.69%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Theforeman Foreman Redhat Openstack

Timeline

PublishedJul 31

Latest updateMay 14

Description

Eval injection vulnerability in the create method in the Bookmarks controller in Foreman before 1.2.0-RC2 allows remote authenticated users with permissions to create bookmarks to execute arbitrary code via a controller name attribute.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 6.8 | Impact: 6.4

Affected Packages2 packages

▶NVDtheforeman/foreman1.2.0+1

▶NVDredhat/openstack3.0

🔴Vulnerability Details

GHSA

GHSA-j6g9-xm4c-vp6v: Eval injection vulnerability in the create method in the Bookmarks controller in Foreman before 1↗2022-05-14

▶

CVEList

CVE-2013-2121: Eval injection vulnerability in the create method in the Bookmarks controller in Foreman before 1↗2013-07-31

▶

💥Exploits & PoCs

Exploit-DB

Foreman (RedHat OpenStack/Satellite) - bookmarks/create Code Injection (Metasploit)↗2013-07-23

▶

📋Vendor Advisories

Red Hat

Foreman: app/controllers/bookmarks_controller.rb remote code execution↗2013-06-07

▶

💬Community

Bugzilla

CVE-2013-2121 Foreman: app/controllers/bookmarks_controller.rb remote code execution↗2013-05-29

▶