38 matches found
openSUSE: Security Advisory for Fixes (openSUSE-SU-2013:1954-1)
The remote host is missing an update for the SPDX-FileCopyrightText: 2013 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Fixes a local vulnerability (important)
Fixed CVE-2013-3709: make the secret token file secrettoken.rb readable only for the webyast user to avoid forging the session cookie bnc851116 reported by joernchen of Phenoelit...
CVE-2013-3709
WebYaST 1.3 uses weak permissions for config/initializers/secrettoken.rb, which allows local users to gain privileges by reading the Rails secret token from this file...
Design/Logic Flaw
WebYaST 1.3 uses weak permissions for config/initializers/secrettoken.rb, which allows local users to gain privileges by reading the Rails secret token from this file...
CVE-2013-3709
WebYaST 1.3 uses weak permissions for config/initializers/secrettoken.rb, which allows local users to gain privileges by reading the Rails secret token from this file...
CVE-2013-3709
CVE-2013-3709 affects WebYaST 1.3 where the config/initializers/secret_token.rb file has weak permissions, allowing a local attacker to read the Rails secret token and potentially forge session cookies. SUSE/openSUSE advisories (openSUSE-SU-2013:1952/1954/1961) patch this by making secret_token.r...
SUSE-RU-2015:0793-1 Security update for webyast
The following security issue has been fixed: CVE-2013-3709: webyast: local privilege escalation via secret rails tokens execution. This vulnerability was reported by joernchen of Phenoelit. Security Issue reference: CVE-2013-3709...
Design/Logic Flaw
SUSE WebYaST before 1.2 0.2.63-0.6.1 allows remote attackers to modify the hosts list, and subsequently conduct man-in-the-middle attacks, via a crafted /host request on TCP port 4984...
CVE-2012-0435
SUSE WebYaST before 1.2 0.2.63-0.6.1 allows remote attackers to modify the hosts list, and subsequently conduct man-in-the-middle attacks, via a crafted /host request on TCP port 4984...
CVE-2012-0435
SUSE WebYaST before 1.2 0.2.63-0.6.1 allows remote attackers to modify the hosts list, and subsequently conduct man-in-the-middle attacks, via a crafted /host request on TCP port 4984...
CVE-2012-0435
CVE-2012-0435 affects SUSE WebYaST prior to 1.2 0.2.63-0.6.1. A remote attacker can modify the hosts list via a crafted /host request on TCP port 4984, enabling a man-in-the-middle attack against WebYaST. The root cause is the insecure handling of the hosts list, allowing unauthenticated modifica...
WebYaST Host Modification MiTM
The WebYaST web client hosted on the remote web server is vulnerable to a man-in-the-middle attack. Authentication is not required to modify which hosts the WebYaST web client is configured to connect to. A remote, unauthenticated attacker could exploit this by causing all WebYaST traffic to be...
SUSE WebYaST remotely accessible hosts list vulnerability
Overview The WebYaST hosts list is remotely accessible by unauthenticated attackers. An attacker may be able to add a malicious host to the list and perform a man-in-the-middle attack against WebYaST. Description The SUSE security advisory states:The hosts list used by WebYaST for connecting to...
WebYaST Web Client Detection
WebYaST web client, a web interface for YaST, was detected on the remote host. YaST is used for administration of hosts running SUSE Linux operating systems. C Tenable Network Security, Inc. include"compat.inc"; if description scriptid62966; scriptversion"1.5"; scriptcvsdate"Date: 2019/11/22";...
CVE-2010-1507
WebYaST in yast2-webclient in SUSE Linux Enterprise SLE 11 on the WebYaST appliance uses a fixed secret key that is embedded in the appliance's image, which allows remote attackers to spoof session cookies by leveraging knowledge of this key...
Code injection
WebYaST in yast2-webclient in SUSE Linux Enterprise SLE 11 on the WebYaST appliance uses a fixed secret key that is embedded in the appliance's image, which allows remote attackers to spoof session cookies by leveraging knowledge of this key...
CVE-2010-1507
WebYaST in yast2-webclient in SUSE Linux Enterprise SLE 11 on the WebYaST appliance uses a fixed secret key that is embedded in the appliance's image, which allows remote attackers to spoof session cookies by leveraging knowledge of this key...
CVE-2010-1507
Vulnerability CVE-2010-1507 affects WebYaST in the yast2-webclient of SUSE Linux Enterprise 11 on the WebYaST appliance. The root cause is a fixed secret key embedded in the appliance image, which enables remote attackers to spoof session cookies by exploiting knowledge of this key. Publicly know...