CVE-2016-2100

MEDIUM

Foreman < 1.10.3 and 1.11.0-RC2 - Authenticated Improper Access Control via Bookmark Permissions

Title source: llm
STIX 2.1

Description

Foreman before 1.10.3 and 1.11.0 before 1.11.0-RC2 allow remote authenticated users to read, modify, or delete private bookmarks by leveraging the (1) edit_bookmarks or (2) destroy_bookmarks permission.

References (4)

Core 4
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHBA-2016:1500
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/03/31/2
Issue Tracking x_refsource_confirm
http://projects.theforeman.org/issues/13828
Vendor Advisory x_refsource_confirm
http://theforeman.org/security.html#2016-2100

Scores

CVSS v3 5.4
EPSS 0.0117
EPSS Percentile 63.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Details

CWE
CWE-284
Status published
Products (2)
theforeman/foreman 1.11.0 (2 CPE variants)
theforeman/foreman < 1.10.2
Published May 20, 2016
Tracked Since Feb 18, 2026