CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-52046
https://notcve.org/view.php?id=CVE-2023-52046
Cross Site Scripting vulnerability (XSS) in webmin v.2.105 and earlier allows a remote attacker to execute arbitrary code via a crafted payload to the "Execute cron job as" tab Input field. Vulnerabilidad de cross site scripting (XSS) en webmin v.2.105 y versiones anteriores permite a un atacante remoto ejecutar código arbitrario a través de un payload manipulado en el campo de entrada de la pestaña "Execute cron job as". • https://github.com/Acklee/webadmin_xss/blob/main/xss.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-43309
https://notcve.org/view.php?id=CVE-2023-43309
There is a stored cross-site scripting (XSS) vulnerability in Webmin 2.002 and below via the Cluster Cron Job tab Input field, which allows attackers to run malicious scripts by injecting a specially crafted payload. Vulnerabilidad de Cross-Site Scripting (XSS) almacenado en Webmin 2.002 y versiones anteriores a través del archivo Cluster Cron Job tab Input, que permite a los atacantes ejecutar scripts maliciosos inyectando un payload manipulado. • https://github.com/TishaManandhar/Webmin_xss_POC/blob/main/XSS • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 97%CPEs: 1EXPL: 6CVE-2022-36446 – Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)
https://notcve.org/view.php?id=CVE-2022-36446
software/apt-lib.pl in Webmin before 1.997 lacks HTML escaping for a UI command. El archivo software/apt-lib.pl en Webmin versiones anteriores a 1.997, carece de escape HTML para un comando de la Interfaz de Usuario Webmin version 1.996 suffers from an authenticated remote code execution vulnerability. • https://www.exploit-db.com/exploits/50998 https://github.com/p0dalirius/CVE-2022-36446-Webmin-Software-Package-Updates-RCE https://github.com/emirpolatt/CVE-2022-36446 https://github.com/Kang3639/CVE-2022-36446 http://packetstormsecurity.com/files/167894/Webmin-1.996-Remote-Code-Execution.html http://packetstormsecurity.com/files/168049/Webmin-Package-Updates-Command-Injection.html https://gist.github.com/emirpolatt/cf19d6c0128fa3e25ebb47e09243919b https://github.com/webmin/webmin/commit/13f7bf9621a82d93f1e9dbd838d1e220202 • CWE-116: Improper Encoding or Escaping of Output •
CVSS: 8.8EPSS: 3%CPEs: 1EXPL: 3CVE-2022-30708
https://notcve.org/view.php?id=CVE-2022-30708
Webmin through 1.991, when the Authentic theme is used, allows remote code execution when a user has been manually created (i.e., not created in Virtualmin or Cloudmin). This occurs because settings-editor_write.cgi does not properly restrict the file parameter. Webmin versiones hasta 1.991, cuando es usado el tema Authentic, permite una ejecución de código remota cuando un usuario ha sido creado manualmente (es decir, no ha sido creado en Virtualmin o Cloudmin). Esto ocurre porque settings-editor_write.cgi no restringe apropiadamente el parámetro de archivo • https://github.com/esp0xdeadbeef/rce_webmin https://github.com/esp0xdeadbeef/rce_webmin/blob/main/exploit.py https://github.com/webmin/authentic-theme/releases https://github.com/webmin/webmin/commit/6a2334bf8b27d55c7edf0b2825cd14f3f8a69d4d https://github.com/webmin/webmin/issues/1635 https://github.com/webmin/webmin/releases https://webmin.com/changes.html https://www.twitch.tv/videos/1483029790 •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 2CVE-2022-0829 – Improper Authorization in webmin/webmin
https://notcve.org/view.php?id=CVE-2022-0829
Improper Authorization in GitHub repository webmin/webmin prior to 1.990. Una Autorización Inapropiada en el repositorio de GitHub webmin/webmin versiones anteriores a 1.990 • https://github.com/webmin/webmin/commit/eeeea3c097f5cc473770119f7ac61f1dcfa671b9 https://huntr.dev/bounties/f2d0389f-d7d1-4f34-9f9d-268b0a0da05e https://notes.netbytesec.com/2022/03/webmin-broken-access-control-to-post-auth-rce.html • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •