|Max CVSS||10.0||Min CVSS||1.9||Total Count||2|
|ID||CVSS||Summary||Last (major) update||Published|
A lack of access control was found in the message queues maintained by Satellite's QPID broker and used by katello-agent in versions before Satellite 6.2, Satellite 6.1 optional and Satellite Capsule 6.1. A malicious user authenticated to a host regi
|15-10-2020 - 14:43||11-04-2019 - 15:29|
The RESTful Web Services (restws) module 7.x-1.x before 7.x-1.4 and 7.x-2.x before 7.x-2.1 for Drupal does not properly restrict access to entity write operations, which makes it easier for remote authenticated users with the "access resource node" a
|27-02-2020 - 15:42||11-02-2020 - 21:15|
Foreman has improper input validation which could lead to partial Denial of Service
|16-12-2019 - 13:12||11-12-2019 - 15:15|
Katello has multiple XSS issues in various entities
|11-12-2019 - 16:18||03-12-2019 - 14:15|
The StoreBuffer::ExemptPopularPages function in store-buffer.cc in Google V8 before 126.96.36.199, as used in Google Chrome before 32.0.1700.102, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other
|30-10-2018 - 16:27||28-01-2014 - 14:30|
Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negative index value in the idx argument to the raw_decod
|30-10-2018 - 16:27||24-08-2017 - 20:29|
Multiple SQL injection vulnerabilities in app/models/concerns/host_common.rb in Foreman before 1.2.3 allow remote attackers to execute arbitrary SQL commands via the (1) fqdn or (2) hostgroup parameter.
|13-08-2018 - 21:47||20-11-2013 - 14:12|
Eval injection vulnerability in the create method in the Bookmarks controller in Foreman before 1.2.0-RC2 allows remote authenticated users with permissions to create bookmarks to execute arbitrary code via a controller name attribute.
|13-08-2018 - 21:47||31-07-2013 - 13:20|
Katello allows remote authenticated users to call the "system remove_deletion" CLI command via vectors related to "remove system" permissions.
|13-06-2018 - 14:27||01-05-2018 - 19:29|
Cross-site scripting (XSS) vulnerability in the search auto-completion functionality in Foreman before 1.4.4 allows remote authenticated users to inject arbitrary web script or HTML via a crafted key name.
|01-11-2017 - 11:47||16-10-2017 - 18:29|
Multiple cross-site scripting (XSS) vulnerabilities in Foreman before 1.5.2 allow remote authenticated users to inject arbitrary web script or HTML via the operating system (1) name or (2) description.
|27-10-2017 - 18:55||18-10-2017 - 14:29|
Google V8, as used in Google Chrome before 28.0.1500.95, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that leverage "type confusion."
|19-09-2017 - 01:36||31-07-2013 - 13:20|
Multiple unspecified vulnerabilities in Google V8 before 188.8.131.52, as used in Google Chrome before 33.0.1750.149, allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
|07-01-2017 - 02:59||16-03-2014 - 14:06|
The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.
|28-11-2016 - 19:10||07-06-2016 - 18:59|
The Smart-Proxy in Foreman before 1.4.5 and 1.5.x before 1.5.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the path parameter to tftp/fetch_boot_file.
|23-06-2014 - 14:45||20-06-2014 - 14:55|
Kafo before 0.3.17 and 0.4.x before 0.5.2, as used by Foreman, uses world-readable permissions for default_values.yaml, which allows local users to obtain passwords and other sensitive information by reading the file.
|09-05-2014 - 16:12||08-05-2014 - 14:29|
Session fixation vulnerability in Foreman before 1.4.2 allows remote attackers to hijack web sessions via the session id cookie.
|09-05-2014 - 14:50||08-05-2014 - 14:29|
Foreman 1.4.0 before 1.5.0 does not properly restrict access to provisioning template previews, which allows remote attackers to obtain sensitive information via the hostname parameter, related to "spoof."
|08-05-2014 - 18:21||08-05-2014 - 14:29|
The default configuration for MongoDB before 2.3.2 does not validate objects, which allows remote authenticated users to cause a denial of service (crash) or read system memory via a crafted BSON object in the column name in an insert command, which
|07-05-2014 - 03:45||06-03-2014 - 15:55|
Cross-site scripting (XSS) vulnerability in app/views/common/500.html.erb in Foreman 1.4.x before 1.4.2 allows remote authenticated users to inject arbitrary web script or HTML via the bookmark name when adding a bookmark.
|27-03-2014 - 18:59||27-03-2014 - 16:55|
The DehoistArrayIndex function in hydrogen-dehoist.cc (aka hydrogen.cc) in Google V8 before 184.108.40.206, as used in Google Chrome before 31.0.1650.63, allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecifi
|06-03-2014 - 04:49||07-12-2013 - 00:55|
|06-03-2014 - 04:49||07-12-2013 - 00:55|
app/controllers/api/v1/hosts_controller.rb in Foreman before 1.2.2 does not properly restrict access to hosts, which allows remote attackers to access arbitrary hosts via an API request.
|17-09-2013 - 15:14||16-09-2013 - 19:14|
The (1) power and (2) ipmi_boot actions in the HostController in Foreman before 1.2.2 allow remote attackers to cause a denial of service (memory consumption) via unspecified input that is converted to a symbol.
|17-09-2013 - 15:00||16-09-2013 - 19:14|