8
CVE-2025-10622
- EPSS 0.08%
- Veröffentlicht 05.11.2025 07:32:14
- Zuletzt bearbeitet 15.04.2026 00:35:42
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Foreman: os command injection via ct_location and fcct_location parameters
A flaw was found in Red Hat Satellite (Foreman component). This vulnerability allows an authenticated user with edit_settings permissions to achieve arbitrary command execution on the underlying operating system via insufficient server-side validation of command whitelisting.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerThe Foreman
≫
Produkt
Foreman
Default Statusunaffected
Version
3.12.0
Version <
3.16.1
Status
affected
HerstellerRed Hat
≫
Produkt
Red Hat Satellite 6.15 for RHEL 8
Default Statusaffected
Version
0:3.9.1.13-1.el8sat
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat Satellite 6.16 for RHEL 8
Default Statusaffected
Version
0:3.12.0.11-1.el8sat
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat Satellite 6.16 for RHEL 9
Default Statusaffected
Version
0:3.12.0.11-1.el9sat
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat Satellite 6.17 for RHEL 9
Default Statusaffected
Version
0:3.14.0.10-1.el9sat
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat Satellite 6.18 for RHEL 9
Default Statusaffected
Version
0:3.16.0.4-1.el9sat
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat Satellite 6
Default Statusaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.08% | 0.231 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| secalert@redhat.com | 8 | 1.3 | 6 |
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
|
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.