GCVE - cpe:2.3:a:theforeman:foreman:1.2.0:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:theforeman:foreman:1.2.0:*:*:*:*:*:*:*

part: a version: 1.2.0 update: *

Vendor	Theforeman (`760bf134-312a-50ab-8452-1d7485d10f9b`)
Product	Foreman (`a88a3ac5-9a3c-5a4c-91ec-c5eca465eab6`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:deb/debian/ruby-foreman`	purl2cpe	2026-06-01 10:15:04.573868
`pkg:deb/ubuntu/ruby-foreman`	purl2cpe	2026-06-01 10:15:04.573870
`pkg:gem/foreman`	purl2cpe	2026-06-01 10:15:04.573871
`pkg:github/theforeman/foreman`	purl2cpe	2026-06-01 10:15:04.573872
`pkg:rpm/opensuse/rubygem-foreman`	purl2cpe	2026-06-01 10:15:04.573874

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2015-5152`	vulnerable	2026-06-08 05:06:48.907167	Details available Foreman after 1.1 and before 1.9.0-RC1 does not redirect HTTP requests to HTTPS when the require_ssl setting is set to true, which allows remote attackers to obtain user credentials via a man-in-the-middle attack. Published: 2017-07-14T20:00:00.000Z Updated: 2024-08-06T06:32:32.742Z Open on db.gcve.eu Reference links http://projects.theforeman.org/issues/11119 https://bugzilla.redhat.com/show_bug.cgi?id=1243571	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-0090`	vulnerable	2026-06-08 05:05:11.386089	Details available Session fixation vulnerability in Foreman before 1.4.2 allows remote attackers to hijack web sessions via the session id cookie. Published: 2014-05-08T14:00:00.000Z Updated: 2024-08-06T09:05:38.660Z Open on db.gcve.eu Reference links https://bugzilla.redhat.com/show_bug.cgi?id=1072151 http://projects.theforeman.org/issues/4457 http://theforeman.org/security.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-4386`	vulnerable	2026-06-08 05:04:35.891050	Details available Multiple SQL injection vulnerabilities in app/models/concerns/host_common.rb in Foreman before 1.2.3 allow remote attackers to execute arbitrary SQL commands via the (1) fqdn or (2) hostgroup parameter. Published: 2013-11-19T19:00:00.000Z Updated: 2024-08-06T16:45:14.646Z Open on db.gcve.eu Reference links https://groups.google.com/forum/#%21topic/foreman-announce/GKMNXM66Z84 http://projects.theforeman.org/issues/3160 http://rhn.redhat.com/errata/RHSA-2013-1522.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-4182`	vulnerable	2026-06-08 05:04:34.429411	Details available app/controllers/api/v1/hosts_controller.rb in Foreman before 1.2.2 does not properly restrict access to hosts, which allows remote attackers to access arbitrary hosts via an API request. Published: 2013-09-16T19:00:00.000Z Updated: 2024-08-06T16:38:01.749Z Open on db.gcve.eu Reference links http://rhn.redhat.com/errata/RHSA-2013-1196.html https://bugzilla.redhat.com/show_bug.cgi?id=990374 http://theforeman.org/manuals/1.2/index.html#Releasenotesfor1.2.2 http://projects.theforeman.org/issues/2863	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-4180`	vulnerable	2026-06-08 05:04:34.426265	Details available The (1) power and (2) ipmi_boot actions in the HostController in Foreman before 1.2.2 allow remote attackers to cause a denial of service (memory consumption) via unspecified input that is converted to a symbol. Published: 2013-09-16T19:00:00.000Z Updated: 2024-08-06T16:38:01.117Z Open on db.gcve.eu Reference links http://rhn.redhat.com/errata/RHSA-2013-1196.html http://projects.theforeman.org/issues/2860 http://theforeman.org/manuals/1.2/index.html#Releasenotesfor1.2.2	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.