Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2015-5233. Reason: This candidate is a reservation duplicate of CVE-2015-5233. Notes: All CVE users should reference CVE-2015-5233 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage

Foreman before 1.8.4 and 1.9.x before 1.9.1 do not properly apply view_hosts permissions, which allows (1) remote authenticated users with the view_reports permission to read reports from arbitrary hosts or (2) remote authenticated users with the destroy_reports permission to delete reports from arbitrary hosts via direct access to the (a) individual report show/delete pages or (b) APIs.