HackerOne: Organization members can delete reports in teams they have no access to

Reports in teams could be deleted by organization members without access to those teams. The vulnerability allowed deletion of analytics reports for restricted teams through a GraphQL mutation even when members lacked permissions to view or edit those reports...

PeTeReport 跨站请求伪造漏洞

PeTeReport is an open source application vulnerability reporting tool. Designed to assist penetration testing/red team efforts by simplifying the task of report writing and generation, PeTeReport suffers from a cross-site request forgery vulnerability that could be exploited by attackers to trick...

Foreman Unauthorized Operation Vulnerability

Foreman is a set of lifecycle management tools for use in physical and virtual servers. The tool provides features such as service provisioning, configuration management, and status reporting. A security vulnerability exists in Foreman versions prior to 1.8.4 and 1.9.x prior to 1.9.1, which stems...

Code injection

Foreman before 1.8.4 and 1.9.x before 1.9.1 do not properly apply viewhosts permissions, which allows 1 remote authenticated users with the viewreports permission to read reports from arbitrary hosts or 2 remote authenticated users with the destroyreports permission to delete reports from arbitra...

PT-2016-3676 · Foreman · Foreman

Name of the Vulnerable Software and Affected Versions: Foreman versions 1.8.0 through 1.8.3 Foreman versions 1.9.0 through 1.9.0 Description: The issue allows remote authenticated users with the view reports permission to read reports from arbitrary hosts or remote authenticated users with the...

foreman: reports show/destroy not restricted by host authorization

A flaw was discovered where Satellite failed to properly enforce permissions on the show and delete actions for reports. An authenticated user with show or delete report permissions could use this flaw to view or delete any reports held in Foreman...