11 matches found
CVE-2014-0130
CVE-2014-0130 describes a directory traversal in Ruby on Rails’ Action Pack (implicit_render path) affecting Rails 3.2.x before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1. A crafted request using wildcard route globbing can cause the application to read arbitrary local files via actionpac...
CVE-2015-7501
CVE-2015-7501 involves a deserialization flaw in Apache Commons Collections that affects Red Hat JBoss Middleware stack (A-MQ 6.x; BPMS 6.x; BRMS 5.x/6.x; JDG 6.x/5.x; JDV 6.x/5.x; AEP 6.x; Fuse 6.x; FSW 6.x; JBoss ON 3.x; Portal 6.x; SOA-P 5.x; JWS 3.x; OpenShift/xPaaS 3.x; Subscription Asset Ma...
CVE-2012-6685
Nokogiri prior to 1.5.4 is vulnerable to XML External Entity (XXE) attacks. The issue arises in the XML parsing path (XXE) and is documented under CVE-2012-6685. Exploitation details are not provided beyond the XXE description. Affected software: Nokogiri (Ruby library). Root cause: XXE in XML pr...
CVE-2014-0183
CVE-2014-0183 affects Katello as shipped with Red Hat Subscription Asset Manager 1.4, vulnerable to cross-site scripting via HTML in the system name during registration. Root cause: HTML in system name not properly sanitized. Impact: potential XSS through the registration flow. Exploitation detai...
CVE-2013-6460
CVE-2013-6460 affects the Nokogiri gem (version 1.5.x) and is described in connected documents as a Denial of Service via an infinite loop when parsing XML documents. The available sources consistently state a DoS impact but do not provide concrete exploitation details or patch/version remediatio...
CVE-2012-6119
CVE-2012-6119 concerns Candlepin before 0.7.24 used in Red Hat Subscription Asset Manager before 1.2.1, where manifest signatures were not properly checked, allowing local users to modify manifests. The related VERACODE entries confirm this and tie remediation to the Red Hat 1.2.1 update (RHSA-20...
CVE-2013-1823
Affected software: Red Hat Subscription Asset Manager prior to version 1.2.1. Vulnerability: Cross-site scripting (XSS) in the Notifications form, where HTML in the username field could be injected. The root cause is improper escaping of HTML markup in the username input. Impact: Remote attackers...
CVE-2013-6439
CVE-2013-6439 affects Red Hat Subscription Asset Manager Candlepin 1.0–1.3, which uses a weak authentication scheme when the configuration file does not specify a scheme. Public sources reiterate an authentication-bypass risk. Remediation involves applying the updated candlepin packages from RHSA...
CVE-2013-6461
Nokogiri gem versions 1.5.x and 1.6.x are affected by a DoS vulnerability when parsing XML entities due to failing to apply limits. The issue is described across multiple connected sources (SUSE, Ubuntu, Debian security trackers, RubyGems advisories, and NVD). The CVE entry itself lists DoS as th...
CVE-2014-0026
CVE-2014-0026 applies to katello-headpin and is due to a CSRF vulnerability in the REST API. The issue is listed with CVSS vectors (2.0: AV:N/AC:M/Au:N/C:N/I:P/A:N; 3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) indicating network access, no confidentiality impact, partial integrity impact, a...
CVE-2014-0029
CVE-2014-0029 affects the SAM web application in Red Hat katello-headpin (the systems management engine). The connected documents describe multiple cross-site scripting (XSS) vulnerabilities in the SAM web app, allowing remote attackers to inject arbitrary web script or HTML via unspecified param...