Foreman 1.9+ SQL injection in dashboard page

[Tomer Brisker <tbrisker () redhat com>]

CVE-2018-1096: One of the parameters passed when saving widget positions on
the dashboard was not properly escaped leading to possibility of SQL
injection. Due to the nature of the query, exploitation is limited to
possible information disclosure and does not allow modifications to the
database. The vulnerable endpoint is only available to authenticated users.

Affects Foreman 1.9 and higher.

Patch available at https://github.com/theforeman/foreman/pull/5363
Fix will be released in Foreman 1.16.1.
For more information see: http://projects.theforeman.org/issues/23028

-- 
Have a nice day,
Tomer Brisker
Red Hat Engineering