{"id":"CVE-2016-4451","details":"The (1) Organization and (2) Locations APIs in Foreman before 1.11.3 and 1.12.x before 1.12.0-RC1 allow remote authenticated users with unlimited filters to bypass organization and location restrictions and read or modify data for an arbitrary organization by leveraging knowledge of the id of that organization.","modified":"2026-05-30T08:12:51.360159Z","published":"2016-08-19T21:59:08.337Z","references":[{"type":"ADVISORY","url":"http://projects.theforeman.org/issues/15182"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:0336"},{"type":"ADVISORY","url":"https://theforeman.org/security.html#2016-4451"},{"type":"FIX","url":"http://projects.theforeman.org/projects/foreman/repository/revisions/1144040f444b4bf4aae81940a150b26b23b4623c"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/theforeman/foreman","events":[{"introduced":"0"},{"last_affected":"0d79cf5c46c45103378145bf4f61a0cc9fcc5072"},{"last_affected":"522fa90e2953631719364921d4985d06f912a42e"}],"database_specific":{"cpe":["cpe:2.3:a:theforeman:foreman:*:*:*:*:*:*:*:*","cpe:2.3:a:theforeman:foreman:1.12.0:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"0"},{"last_affected":"1.11.2"},{"last_affected":"1.12.0"}],"source":["CPE_RANGE","CPE_STRING"]}}],"versions":["1.12.0","1.12.0-RC3","1.12.0-RC2","1.12.0-RC1","1.11.2","1.11.1","1.11.0","1.11.0-RC3","1.11.0-RC2","1.11.0-RC1","1.1","1.1RC5","1.1RC4","1.1RC3","1.1RC2","1.1RC1","1.0","1.0RC5","1.0RC4","1.0RC3","1.0RC2","1.0RC1","0.4","0.4rc5","0.4rc4","0.4rc3","0.4rc2","0.3","0.2","0.2rc1","0.1-6","0.1-5","0.1-4","0.1-3","0.1-2","0.1-1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-4451.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/theforeman/foreman-installer","events":[{"introduced":"0"},{"last_affected":"c9f8ee494f8a2991a33951c575604d8b8ed52d32"},{"last_affected":"ae2ac4e445bdd0541651a9b15e94648eb5fcd34a"}],"database_specific":{"cpe":["cpe:2.3:a:theforeman:foreman:*:*:*:*:*:*:*:*","cpe:2.3:a:theforeman:foreman:1.12.0:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"0"},{"last_affected":"1.11.2"},{"last_affected":"1.12.0"}],"source":["CPE_RANGE","CPE_STRING"]}}],"versions":["1.12.0","1.12.0-RC3","1.12.0-RC2","1.11.2","1.12.0-RC1","1.11.1","1.11.0","1.11.0-RC3","1.11.0-RC2","1.11.0-RC1","1.0.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-4451.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/theforeman/smart-proxy","events":[{"introduced":"0"},{"last_affected":"32fc25f8928a8974c54d379991b0b0355ab4d6b4"},{"last_affected":"fb319164de15280fb59bc25448d7f00d86703d15"}],"database_specific":{"cpe":["cpe:2.3:a:theforeman:foreman:*:*:*:*:*:*:*:*","cpe:2.3:a:theforeman:foreman:1.12.0:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"0"},{"last_affected":"1.11.2"},{"last_affected":"1.12.0"}],"source":["CPE_RANGE","CPE_STRING"]}}],"versions":["1.12.0","1.12.0-RC3","1.12.0-RC2","1.12.0-RC1","1.11.2","1.11.1","1.11.0","1.11.0-RC3","1.11.0-RC2","1.11.0-RC1","1.1","1.1RC3","1.1RC2","1.1RC1","1.0","1.0RC2","1.0RC1","0.3","0.2","0.2rc2","0.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-4451.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"}]}