CVE-2016-7078

Severity CVSS v4.0:
Pending analysis
Type:
CWE-285 Improper Authorization
Publication date:
10/09/2018
Last modified:
17/06/2026

Description

foreman before version 1.15.0 is vulnerable to an information leak through organizations and locations feature. When a user is assigned _no_ organizations/locations, they are able to view all resources instead of none (mirroring an administrator's view). The user's actions are still limited by their assigned permissions, e.g. to control viewing, editing and deletion.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:theforeman:foreman:1.15.0:*:*:*:*:*:*:*