Daniel Lobato Garcia

**Name of the Vulnerable Software and Affected Versions** Foreman versions prior to 1.15.0 **Description** The issue allows an information leak through the organizations and locations feature. When a user is not assigned to any organizations or locations, they can view all resources, similar to an administrator's view, although their actions are still restricted by their assigned permissions, controlling viewing, editing, and deletion. **Recommendations** For versions prior to 1.15.0, update to version 1.15.0 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive resources or implementing additional permission checks to minimize the risk of unauthorized information disclosure.

**Name of the Vulnerable Software and Affected Versions** Foreman versions 1.8.0 through 1.8.3 Foreman versions 1.9.0 through 1.9.0 **Description** The issue allows remote authenticated users with the `view reports` permission to read reports from arbitrary hosts or remote authenticated users with the `destroy reports` permission to delete reports from arbitrary hosts. This can be achieved via direct access to individual report show/delete pages or APIs. **Recommendations** For Foreman versions 1.8.0 through 1.8.3, update to version 1.8.4 to resolve the issue. For Foreman versions 1.9.0 through 1.9.0, update to version 1.9.1 to resolve the issue.