Show filters
17 Total Results
Displaying 1-10 of 17
Sort by:
Attacker Value
Unknown

CVE-2024-4812

Disclosure Date: June 05, 2024 (last updated June 19, 2024)
A flaw was found in the Katello plugin for Foreman, where it is possible to store malicious JavaScript code in the "Description" field of a user. This code can be executed when opening certain pages, for example, Host Collections.
Attack Vector: NetworkPrivileges: HighUser Interaction: Required
0
0
Attacker Value
Unknown

CVE-2013-4120

Disclosure Date: December 10, 2019 (last updated November 27, 2024)
Katello has a Denial of Service vulnerability in API OAuth authentication
Attack Vector: NetworkPrivileges: NoneUser Interaction: None
0
0
Attacker Value
Unknown

CVE-2013-0283

Disclosure Date: December 05, 2019 (last updated November 27, 2024)
Katello: Username in Notification page has cross site scripting
Attack Vector: NetworkPrivileges: LowUser Interaction: Required
0
0
Attacker Value
Unknown

CVE-2013-2101

Disclosure Date: December 03, 2019 (last updated November 27, 2024)
Katello has multiple XSS issues in various entities
Attack Vector: NetworkPrivileges: LowUser Interaction: Required
0
0
Attacker Value
Unknown

CVE-2019-14825

Disclosure Date: November 25, 2019 (last updated November 27, 2024)
A cleartext password storage issue was discovered in Katello, versions 3.x.x.x before katello 3.12.0.9. Registry credentials used during container image discovery were inadvertently logged without being masked. This flaw could expose the registry credentials to other privileged users.
Attack Vector: NetworkPrivileges: HighUser Interaction: None
0
0
Attacker Value
Unknown

CVE-2018-16887

Disclosure Date: January 13, 2019 (last updated November 27, 2024)
A cross-site scripting (XSS) flaw was found in the katello component of Satellite. An attacker with privilege to create/edit organizations and locations is able to execute a XSS attacks against other users through the Subscriptions or the Red Hat Repositories wizards. This can possibly lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Versions before 3.9.0 are vulnerable.
0
0
Attacker Value
Unknown

CVE-2018-14623

Disclosure Date: December 14, 2018 (last updated November 27, 2024)
A SQL injection flaw was found in katello's errata-related API. An authenticated remote attacker can craft input data to force a malformed SQL query to the backend database, which will leak internal IDs. This is issue is related to an incomplete fix for CVE-2016-3072. Version 3.10 and older is vulnerable.
0
0
Attacker Value
Unknown

CVE-2017-2662

Disclosure Date: August 22, 2018 (last updated November 27, 2024)
A flaw was found in Foreman's katello plugin version 3.4.5. After setting a new role to allow restricted access on a repository with a filter (filter set on the Product Name), the filter is not respected when the actions are done via hammer using the repository id.
0
0
Attacker Value
Unknown

CVE-2016-9595

Disclosure Date: July 27, 2018 (last updated November 08, 2023)
A flaw was found in katello-debug before 3.4.0 where certain scripts and log files used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.
0
0
Attacker Value
Unknown

CVE-2013-4201

Disclosure Date: May 01, 2018 (last updated November 26, 2024)
Katello allows remote authenticated users to call the "system remove_deletion" CLI command via vectors related to "remove system" permissions.
0
0
View More Topics  Next >