GCVE - cpe:2.3:a:theforeman:foreman:1.4.0:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:theforeman:foreman:1.4.0:*:*:*:*:*:*:*

part: a version: 1.4.0 update: *

Vendor	Theforeman (`760bf134-312a-50ab-8452-1d7485d10f9b`)
Product	Foreman (`a88a3ac5-9a3c-5a4c-91ec-c5eca465eab6`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:deb/debian/ruby-foreman`	purl2cpe	2026-06-01 10:15:04.574204
`pkg:deb/ubuntu/ruby-foreman`	purl2cpe	2026-06-01 10:15:04.574205
`pkg:gem/foreman`	purl2cpe	2026-06-01 10:15:04.574207
`pkg:github/theforeman/foreman`	purl2cpe	2026-06-01 10:15:04.574208
`pkg:rpm/opensuse/rubygem-foreman`	purl2cpe	2026-06-01 10:15:04.574210

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2015-5152`	vulnerable	2026-06-08 05:06:48.915816	Details available Foreman after 1.1 and before 1.9.0-RC1 does not redirect HTTP requests to HTTPS when the require_ssl setting is set to true, which allows remote attackers to obtain user credentials via a man-in-the-middle attack. Published: 2017-07-14T20:00:00.000Z Updated: 2024-08-06T06:32:32.742Z Open on db.gcve.eu Reference links http://projects.theforeman.org/issues/11119 https://bugzilla.redhat.com/show_bug.cgi?id=1243571	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-4507`	vulnerable	2026-06-08 05:05:44.985718	Details available Directory traversal vulnerability in Smart-Proxy in Foreman before 1.4.5 and 1.5.x before 1.5.1 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in the dst parameter to tftp/fetch_boot_file. Published: 2014-06-20T14:00:00.000Z Updated: 2024-09-16T20:07:12.420Z Open on db.gcve.eu Reference links http://projects.theforeman.org/issues/6086	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-3492`	vulnerable	2026-06-08 05:05:32.994268	Details available Multiple cross-site scripting (XSS) vulnerabilities in the host YAML view in Foreman before 1.4.5 and 1.5.x before 1.5.1 allow remote attackers to inject arbitrary web script or HTML via a parameter (1) name or (2) value related to the host. Published: 2014-07-01T16:00:00.000Z Updated: 2024-08-06T10:43:06.136Z Open on db.gcve.eu Reference links http://projects.theforeman.org/issues/6149	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-3491`	vulnerable	2026-06-08 05:05:32.991756	Details available Cross-site scripting (XSS) vulnerability in Foreman before 1.4.5 and 1.5.x before 1.5.1 allows remote attackers to inject arbitrary web script or HTML via the Name field to the New Host groups page, related to create, update, and destroy notification boxes. Published: 2014-07-01T16:00:00.000Z Updated: 2024-08-06T10:43:06.343Z Open on db.gcve.eu Reference links http://projects.theforeman.org/issues/5881	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-0192`	vulnerable	2026-06-08 05:05:12.126770	Details available Foreman 1.4.0 before 1.5.0 does not properly restrict access to provisioning template previews, which allows remote attackers to obtain sensitive information via the hostname parameter, related to "spoof." Published: 2014-05-08T14:00:00.000Z Updated: 2024-08-06T09:05:39.323Z Open on db.gcve.eu Reference links http://theforeman.org/security.html http://projects.theforeman.org/issues/5436 https://bugzilla.redhat.com/show_bug.cgi?id=1092354	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-0090`	vulnerable	2026-06-08 05:05:11.388740	Details available Session fixation vulnerability in Foreman before 1.4.2 allows remote attackers to hijack web sessions via the session id cookie. Published: 2014-05-08T14:00:00.000Z Updated: 2024-08-06T09:05:38.660Z Open on db.gcve.eu Reference links https://bugzilla.redhat.com/show_bug.cgi?id=1072151 http://projects.theforeman.org/issues/4457 http://theforeman.org/security.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-0089`	vulnerable	2026-06-08 05:05:11.383290	Details available Cross-site scripting (XSS) vulnerability in app/views/common/500.html.erb in Foreman 1.4.x before 1.4.2 allows remote authenticated users to inject arbitrary web script or HTML via the bookmark name when adding a bookmark. Published: 2014-03-27T16:00:00.000Z Updated: 2024-08-06T09:05:37.068Z Open on db.gcve.eu Reference links https://bugzilla.redhat.com/show_bug.cgi?id=1071741 http://projects.theforeman.org/issues/4456 http://theforeman.org/security.html http://secunia.com/advisories/57575	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-0007`	vulnerable	2026-06-08 05:05:10.537002	Details available The Smart-Proxy in Foreman before 1.4.5 and 1.5.x before 1.5.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the path parameter to tftp/fetch_boot_file. Published: 2014-06-20T14:00:00.000Z Updated: 2024-08-06T08:58:26.563Z Open on db.gcve.eu Reference links http://projects.theforeman.org/issues/6086 http://rhn.redhat.com/errata/RHSA-2014-0770.html	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.