Code injection

Foreman before 1.8.4 and 1.9.x before 1.9.1 do not properly apply viewhosts permissions, which allows 1 remote authenticated users with the viewreports permission to read reports from arbitrary hosts or 2 remote authenticated users with the destroyreports permission to delete reports from arbitra...