CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2017-15645 – Webmin 1.850 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2017-15645
CSRF exists in Webmin 1.850. By sending a GET request to at/create_job.cgi containing dir=/&cmd= in the URI, an attacker to execute arbitrary commands. Existe CSRF en Webmin 1.850. Enviando una petición GET a at/create_job.cgi que contenga dir=/cmd= en la URI, un atacante puede ejecutar comandos arbitrarios. Webmin version 1.850 suffers from server side request forgery, cross site request forgery, and cross site scripting vulnerabilities, the last of which can lead to remote command execution. • https://www.exploit-db.com/exploits/42989 http://www.webmin.com/changes.html http://www.webmin.com/security.html https://blogs.securiteam.com/index.php/archives/3430 https://github.com/webmin/webmin/commit/0c58892732ee7610a7abba5507614366d382c9c9 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 2CVE-2017-15644 – Webmin 1.850 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2017-15644
SSRF exists in Webmin 1.850 via the PATH_INFO to tunnel/link.cgi, as demonstrated by a GET request for tunnel/link.cgi/http://INTRANET-IP:8000. Existe SSRF en Webmin 1.850 mediante PATH_INFO a tunnel/link.cgi, como se ha demostrado por una petición GET para tunnel/link.cgi/http://INTRANET-IP:8000. Webmin version 1.850 suffers from server side request forgery, cross site request forgery, and cross site scripting vulnerabilities, the last of which can lead to remote command execution. • https://www.exploit-db.com/exploits/42989 http://www.webmin.com/changes.html http://www.webmin.com/security.html https://blogs.securiteam.com/index.php/archives/3430 https://github.com/webmin/webmin/commit/0c58892732ee7610a7abba5507614366d382c9c9 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-9313 – Webmin 1.840 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2017-9313
Multiple Cross-site scripting (XSS) vulnerabilities in Webmin before 1.850 allow remote attackers to inject arbitrary web script or HTML via the sec parameter to view_man.cgi, the referers parameter to change_referers.cgi, or the name parameter to save_user.cgi. NOTE: these issues were not fixed in 1.840. Múltiples vulnerabilidades de tipo cross-site-scripting (XSS) en Webmin anterior a la versión 1.850, permiten a los atacantes remotos inyectar script web o HTML arbitrario por medio del parámetro sec en el archivo view_man.cgi, el parámetro referers en el archivo change_referers.cgi, o el parámetro name en el archivo save_user.cgi. NOTA: estos problemas no fueron corregidos en la versión 1.840. Webmin version 1.840 suffers from a cross site scripting vulnerability. • http://seclists.org/bugtraq/2017/Jul/3 http://www.securityfocus.com/bid/99373 http://www.securitytracker.com/id/1038814 http://www.webmin.com/changes.html https://github.com/webmin/webmin/commit/a330e913ee099cb9c586ce1b9267647fc566c1ab https://github.com/webmin/webmin/commit/c2d4a90639afb2403979aa91ba75cb332ae16d1b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-2106
https://notcve.org/view.php?id=CVE-2017-2106
Multiple cross-site scripting vulnerabilities in Webmin versions prior to 1.830 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Varias vulnerabilidades de secuencias de comandos entre sitios en Webmin versiones anteriores a 1.830 permiten a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores no especificados. • http://jvn.jp/en/jp/JVN34207650/index.html http://www.securityfocus.com/bid/96227 https://github.com/webmin/webmin/commit/475cc4fbdf51c865b291d252d81a58bad05de0c7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2015-1377
https://notcve.org/view.php?id=CVE-2015-1377
The Read Mail module in Webmin 1.720 allows local users to read arbitrary files via a symlink attack on an unspecified file. El módulo Read Mail en Webmin 1.720 permite a usuarios locales leer ficheros arbitrarios a través de un ataque de enlace simbólico sobre un fichero no especificado. • http://secunia.com/advisories/62157 http://www.webmin.com/changes.html http://www.webmin.com/security.html • CWE-59: Improper Link Resolution Before File Access ('Link Following') •