CVE-2023-38311
https://notcve.org/view.php?id=CVE-2023-38311
An issue was discovered in Webmin 2.021. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the System Logs Viewer functionality. The vulnerability allows an attacker to store a malicious payload in the configuration field, triggering the execution of the payload when saving the configuration or when accessing the System Logs Viewer page. • https://github.com/jaysharma786/Webmin-2.021/blob/main/CVE-2023-38311 https://webmin.com/tags/webmin-changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-38304
https://notcve.org/view.php?id=CVE-2023-38304
An issue was discovered in Webmin 2.021. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Users and Groups functionality, allowing an attacker to store a malicious payload in the Group Name field when creating a new group. • https://github.com/jaysharma786/Webmin-2.021/blob/main/CVE-2023-38304 https://webmin.com/tags/webmin-changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-3844 – Webmin index.cgi cross site scripting
https://notcve.org/view.php?id=CVE-2022-3844
A vulnerability, which was classified as problematic, was found in Webmin 2.001. Affected is an unknown function of the file xterm/index.cgi. The manipulation leads to basic cross site scripting. It is possible to launch the attack remotely. Upgrading to version 2.003 is able to address this issue. • https://github.com/webmin/webmin/commit/d3d33af3c0c3fd3a889c84e287a038b7a457d811 https://github.com/webmin/webmin/releases/tag/2.003 https://vuldb.com/?ctiid.212862 https://vuldb.com/?id.212862 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVE-2022-36880
https://notcve.org/view.php?id=CVE-2022-36880
The Read Mail module in Webmin 1.995 and Usermin through 1.850 allows XSS via a crafted HTML e-mail message. El módulo Read Mail de Webmin 1.995 y Usermin hasta 1.850 permite un ataque de tipo XSS por medio de un mensaje de correo electrónico HTML diseñado • https://www.webmin.com/security.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-36446 – Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)
https://notcve.org/view.php?id=CVE-2022-36446
software/apt-lib.pl in Webmin before 1.997 lacks HTML escaping for a UI command. El archivo software/apt-lib.pl en Webmin versiones anteriores a 1.997, carece de escape HTML para un comando de la Interfaz de Usuario Webmin version 1.996 suffers from an authenticated remote code execution vulnerability. • https://www.exploit-db.com/exploits/50998 https://github.com/p0dalirius/CVE-2022-36446-Webmin-Software-Package-Updates-RCE https://github.com/emirpolatt/CVE-2022-36446 https://github.com/Kang3639/CVE-2022-36446 http://packetstormsecurity.com/files/167894/Webmin-1.996-Remote-Code-Execution.html http://packetstormsecurity.com/files/168049/Webmin-Package-Updates-Command-Injection.html https://gist.github.com/emirpolatt/cf19d6c0128fa3e25ebb47e09243919b https://github.com/webmin/webmin/commit/13f7bf9621a82d93f1e9dbd838d1e220202 • CWE-116: Improper Encoding or Escaping of Output •