The Foreman Project Foreman vulnerabilities

5 known vulnerabilities affecting the_foreman_project/foreman.

Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
MEDIUM5

Vulnerabilities

Page 1 of 1
CVE-2019-3893MEDIUMCVSS 4.9v1.20.3v1.21.1+1 more2019-04-09
CVE-2019-3893 [MEDIUM] CWE-732 CVE-2019-3893: In Foreman it was discovered that the delete compute resource operation, when executed from the Fore In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the "delete_compute_resource" permission can use this flaw to take control over compute resources managed by foreman. Versions b
cvelistv5nvd
CVE-2018-16861MEDIUMCVSS 4.8v1.18.3v1.19.1+1 more2018-12-07
CVE-2018-16861 [HIGH] CWE-79 CVE-2018-16861: A cross-site scripting (XSS) flaw was found in the foreman component of satellite. An attacker with A cross-site scripting (XSS) flaw was found in the foreman component of satellite. An attacker with privilege to create entries using the Hosts, Monitor, Infrastructure, or Administer Menus is able to execute a XSS attacks against other users, possibly leading to malicious code execution and extraction of the anti-CSRF token of higher privileged users.
cvelistv5nvd
CVE-2016-8634MEDIUMCVSS 5.4v1.14.02018-08-01
CVE-2016-8634 [MEDIUM] CWE-79 CVE-2016-8634: A vulnerability was found in foreman 1.14.0. When creating an organization or location in Foreman, i A vulnerability was found in foreman 1.14.0. When creating an organization or location in Foreman, if the name contains HTML then the second step of the wizard (/organizations/id/step2) will render the HTML. This occurs in the alertbox on the page. The result is a stored XSS attack if an organization/location with HTML in the name is created, then a us
cvelistv5nvd
CVE-2016-8639MEDIUMCVSS 5.4v1.13.02018-08-01
CVE-2016-8639 [MEDIUM] CWE-79 CVE-2016-8639: It was found that foreman before 1.13.0 is vulnerable to a stored XSS via an organization or locatio It was found that foreman before 1.13.0 is vulnerable to a stored XSS via an organization or location name. This could allow an attacker with privileges to set the organization or location name to display arbitrary HTML including scripting code within the web interface.
cvelistv5nvd
CVE-2016-8613MEDIUMCVSS 6.1v1.5.12018-07-31
CVE-2016-8613 [MEDIUM] CWE-79 CVE-2016-8613: A flaw was found in foreman 1.5.1. The remote execution plugin runs commands on hosts over SSH from A flaw was found in foreman 1.5.1. The remote execution plugin runs commands on hosts over SSH from the Foreman web UI. When a job is submitted that contains HTML tags, the console output shown in the web UI does not escape the output causing any HTML or JavaScript to run in the user's browser. The output of the job is stored, making this a stored XSS v
cvelistv5nvd