Simon Holl

**Name of the Vulnerable Software and Affected Versions** SUSE Manager versions prior to 0.3.7-150600.3.6.2 SUSE Manager versions prior to 5.0.14-150600.4.17.1 Image SLES15-SP4-Manager-Server-4-3-BYOS versions prior to 4.3.33-150400.3.55.2 Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure versions prior to 4.3.33-150400.3.55.2 Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 versions prior to 4.3.33-150400.3.55.2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE versions prior to 4.3.33-150400.3.55.2 SUSE Manager Server Module 4.3 versions prior to 0.3.7-150400.3.39.4 SUSE Manager Server Module 4.3 versions prior to 4.3.33-150400.3.55.2 **Description** A missing authentication check for critical functions in SUSE Manager allows unauthenticated attackers with access to the websocket at `/rhn/websocket/minion/remote-commands` to execute arbitrary commands as root. **Recommendations** Update SUSE Manager to version 0.3.7-150600.3.6.2 or later. Update SUSE Manager to version 5.0.14-150600.4.17.1 or later. Update Image SLES15-SP4-Manager-Server-4-3-BYOS to version 4.3.33-150400.3.55.2 or later. Update Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure to version 4.3.33-150400.3.55.2 or later. Update Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 to version 4.3.33-150400.3.55.2 or later. Update Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE to version 4.3.33-150400.3.55.2 or later. Update SUSE Manager Server Module 4.3 to version 0.3.7-150400.3.39.4 or later. Update SUSE Manager Server Module 4.3 to version 4.3.33-150400.3.55.2 or later.

**Name of the Vulnerable Software and Affected Versions** ORDAT FOSS-Online versions prior to 2.24.01 **Description** The issue is related to a SQL injection vulnerability in the forgot password function. **Recommendations** For versions prior to 2.24.01, update to version 2.24.01 or later to resolve the issue. As a temporary workaround, consider restricting access to the forgot password function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ORDAT FOSS-Online versions prior to 2.24.01 **Description** A reflected cross-site scripting (XSS) vulnerability was discovered in the login page of ORDAT FOSS-Online. This issue allows for the execution of malicious scripts, potentially leading to unauthorized access or data theft. The vulnerability is exploited via the login page, but specific details about API endpoints, vulnerable parameters, or function names are not provided. **Recommendations** For versions prior to 2.24.01, update to version 2.24.01 or later to resolve the issue. As a temporary workaround, consider restricting access to the login page until the update can be applied. Avoid using the login functionality in a way that could potentially exploit the reflected XSS vulnerability until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ORDAT FOSS-Online versions prior to 2.24.01 **Description** A user enumeration issue exists, allowing attackers to determine if an account exists in the application by comparing server responses of the forgot password functionality. **Recommendations** For versions prior to 2.24.01, update to version 2.24.01 or later to resolve the issue. As a temporary workaround, consider restricting access to the forgot password functionality until a patch is available.