CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-38308
https://notcve.org/view.php?id=CVE-2023-38308
31 Jul 2023 — An issue was discovered in Webmin 2.021. A Cross-Site Scripting (XSS) vulnerability was discovered in the HTTP Tunnel functionality when handling third-party domain URLs. By providing a crafted URL from a third-party domain, an attacker can inject malicious code. leading to the execution of arbitrary JavaScript code within the context of the victim's browser. • https://github.com/jaysharma786/Webmin-2.021/blob/main/CVE-2023-38308 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-38309
https://notcve.org/view.php?id=CVE-2023-38309
31 Jul 2023 — An issue was discovered in Webmin 2.021. A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the package search functionality. The vulnerability allows an attacker to inject a malicious payload in the "Search for Package" field, which gets reflected back in the application's response, leading to the execution of arbitrary JavaScript code within the context of the victim's browser. • https://github.com/jaysharma786/Webmin-2.021/blob/main/CVE-2023-38309 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-38310
https://notcve.org/view.php?id=CVE-2023-38310
31 Jul 2023 — An issue was discovered in Webmin 2.021. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the configuration settings of the system logs functionality. The vulnerability allows an attacker to store an XSS payload in the configuration settings of specific log files. This results in the execution of that payload whenever the affected log files are accessed. • https://github.com/jaysharma786/Webmin-2.021/blob/main/CVE-2023-38310 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-38311
https://notcve.org/view.php?id=CVE-2023-38311
31 Jul 2023 — An issue was discovered in Webmin 2.021. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the System Logs Viewer functionality. The vulnerability allows an attacker to store a malicious payload in the configuration field, triggering the execution of the payload when saving the configuration or when accessing the System Logs Viewer page. • https://github.com/jaysharma786/Webmin-2.021/blob/main/CVE-2023-38311 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-3844 – Webmin index.cgi cross site scripting
https://notcve.org/view.php?id=CVE-2022-3844
02 Nov 2022 — A vulnerability, which was classified as problematic, was found in Webmin 2.001. Affected is an unknown function of the file xterm/index.cgi. The manipulation leads to basic cross site scripting. It is possible to launch the attack remotely. Upgrading to version 2.003 is able to address this issue. • https://github.com/webmin/webmin/commit/d3d33af3c0c3fd3a889c84e287a038b7a457d811 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-36880
https://notcve.org/view.php?id=CVE-2022-36880
27 Jul 2022 — The Read Mail module in Webmin 1.995 and Usermin through 1.850 allows XSS via a crafted HTML e-mail message. El módulo Read Mail de Webmin 1.995 y Usermin hasta 1.850 permite un ataque de tipo XSS por medio de un mensaje de correo electrónico HTML diseñado • https://www.webmin.com/security.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 93%CPEs: 1EXPL: 8CVE-2022-36446 – Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)
https://notcve.org/view.php?id=CVE-2022-36446
25 Jul 2022 — software/apt-lib.pl in Webmin before 1.997 lacks HTML escaping for a UI command. El archivo software/apt-lib.pl en Webmin versiones anteriores a 1.997, carece de escape HTML para un comando de la Interfaz de Usuario Webmin version 1.996 suffers from an authenticated remote code execution vulnerability. • https://packetstorm.news/files/id/167894 • CWE-116: Improper Encoding or Escaping of Output •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 3CVE-2022-30708
https://notcve.org/view.php?id=CVE-2022-30708
15 May 2022 — Webmin through 1.991, when the Authentic theme is used, allows remote code execution when a user has been manually created (i.e., not created in Virtualmin or Cloudmin). This occurs because settings-editor_write.cgi does not properly restrict the file parameter. Webmin versiones hasta 1.991, cuando es usado el tema Authentic, permite una ejecución de código remota cuando un usuario ha sido creado manualmente (es decir, no ha sido creado en Virtualmin o Cloudmin). Esto ocurre porque settings-editor_write.cgi... • https://github.com/esp0xdeadbeef/rce_webmin •
CVSS: 8.8EPSS: 6%CPEs: 1EXPL: 1CVE-2021-32162
https://notcve.org/view.php?id=CVE-2021-32162
11 Apr 2022 — A Cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 through the File Manager feature. Se presenta una vulnerabilidad de tipo Cross-site request forgery (CSRF) en Webmin versión 1.973, mediante la funcionalidad File Manager • https://github.com/Mesh3l911/CVE-2021-32162 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 3%CPEs: 1EXPL: 1CVE-2021-32161
https://notcve.org/view.php?id=CVE-2021-32161
11 Apr 2022 — A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 through the File Manager feature. Se presenta una vulnerabilidad de tipo Cross-Site Scripting (XSS) en Webmin versión 1.973 mediante la función File Manager • https://github.com/Mesh3l911/CVE-2021-32161 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •