CVE-2023-41163
https://notcve.org/view.php?id=CVE-2023-41163
A Reflected Cross-site scripting (XSS) vulnerability in the file manager tab in Usermin 2.000 allows remote attackers to inject arbitrary web script or HTML via the replace in results field while replacing the results under the tools drop down. • https://github.com/shindeanik/Usermin-2.000/blob/main/CVE-2023-41163 https://webmin.com/tags/webmin-changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-3844 – Webmin index.cgi cross site scripting
https://notcve.org/view.php?id=CVE-2022-3844
A vulnerability, which was classified as problematic, was found in Webmin 2.001. Affected is an unknown function of the file xterm/index.cgi. The manipulation leads to basic cross site scripting. It is possible to launch the attack remotely. Upgrading to version 2.003 is able to address this issue. • https://github.com/webmin/webmin/commit/d3d33af3c0c3fd3a889c84e287a038b7a457d811 https://github.com/webmin/webmin/releases/tag/2.003 https://vuldb.com/?ctiid.212862 https://vuldb.com/?id.212862 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVE-2022-36880
https://notcve.org/view.php?id=CVE-2022-36880
The Read Mail module in Webmin 1.995 and Usermin through 1.850 allows XSS via a crafted HTML e-mail message. El módulo Read Mail de Webmin 1.995 y Usermin hasta 1.850 permite un ataque de tipo XSS por medio de un mensaje de correo electrónico HTML diseñado • https://www.webmin.com/security.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-36446 – Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)
https://notcve.org/view.php?id=CVE-2022-36446
software/apt-lib.pl in Webmin before 1.997 lacks HTML escaping for a UI command. El archivo software/apt-lib.pl en Webmin versiones anteriores a 1.997, carece de escape HTML para un comando de la Interfaz de Usuario Webmin version 1.996 suffers from an authenticated remote code execution vulnerability. • https://www.exploit-db.com/exploits/50998 https://github.com/p0dalirius/CVE-2022-36446-Webmin-Software-Package-Updates-RCE https://github.com/emirpolatt/CVE-2022-36446 https://github.com/Kang3639/CVE-2022-36446 http://packetstormsecurity.com/files/167894/Webmin-1.996-Remote-Code-Execution.html http://packetstormsecurity.com/files/168049/Webmin-Package-Updates-Command-Injection.html https://gist.github.com/emirpolatt/cf19d6c0128fa3e25ebb47e09243919b https://github.com/webmin/webmin/commit/13f7bf9621a82d93f1e9dbd838d1e220202 • CWE-116: Improper Encoding or Escaping of Output •
CVE-2022-30708
https://notcve.org/view.php?id=CVE-2022-30708
Webmin through 1.991, when the Authentic theme is used, allows remote code execution when a user has been manually created (i.e., not created in Virtualmin or Cloudmin). This occurs because settings-editor_write.cgi does not properly restrict the file parameter. Webmin versiones hasta 1.991, cuando es usado el tema Authentic, permite una ejecución de código remota cuando un usuario ha sido creado manualmente (es decir, no ha sido creado en Virtualmin o Cloudmin). Esto ocurre porque settings-editor_write.cgi no restringe apropiadamente el parámetro de archivo • https://github.com/esp0xdeadbeef/rce_webmin https://github.com/esp0xdeadbeef/rce_webmin/blob/main/exploit.py https://github.com/webmin/authentic-theme/releases https://github.com/webmin/webmin/commit/6a2334bf8b27d55c7edf0b2825cd14f3f8a69d4d https://github.com/webmin/webmin/issues/1635 https://github.com/webmin/webmin/releases https://webmin.com/changes.html https://www.twitch.tv/videos/1483029790 •