The SATAN session key may be disclosed if the user points the web browser to other sites, possibly allowing root access.