CVE-2016-4451: Privileges escalation through Organization and Locations Foreman API

[Marek Hulán <mhulan () redhat com>]

CVE-2016-4451: Privilege escalation through Organization and Locations API

When accessing Foreman as a user limited to specific organization, if users 
know other organization id and have unlimited filters they can access/modify 
other organization data. They just have to set the id as API parameter.

Mitigation: make sure you have filters restricted to organizations or locations 
when you limit user by assigning him particular organization or location.

Affects Foreman 1.7 and higher

Patch available at https://github.com/theforeman/foreman/pull/3553
Fix released in Foreman 1.11.3 (to be released)
For more information please see Redmine issue 
http://projects.theforeman.org/issues/15182

--
Marek