CVE-2021-31761 – Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2021-31761
Webmin 1.973 is affected by reflected Cross Site Scripting (XSS) to achieve Remote Command Execution through Webmin's running process feature. Webmin versión 1.973, esta afectado por una vulnerabilidad de tipo Cross Site Scripting (XSS) reflejado para lograr una ejecución de comandos remota por medio de la funcionalidad Webmin's running process • https://www.exploit-db.com/exploits/50144 https://github.com/electronicbots/CVE-2021-31761 https://github.com/Mesh3l911/CVE-2021-31761 http://packetstormsecurity.com/files/163559/Webmin-1.973-Cross-Site-Request-Forgery.html https://github.com/webmin/webmin https://youtu.be/23VvUMu-28c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-31760
https://notcve.org/view.php?id=CVE-2021-31760
Webmin 1.973 is affected by Cross Site Request Forgery (CSRF) to achieve Remote Command Execution (RCE) through Webmin's running process feature. Webmin versión 1.973, esta afectado por una vulnerabilidad de tipo Cross Site Request Forgery (CSRF) para lograr una Ejecución de Comandos Remota (RCE) por medio de la funcionalidad Webmin's running process • https://github.com/electronicbots/CVE-2021-31760 https://github.com/Mesh3l911/CVE-2021-31760 https://github.com/webmin/webmin https://youtu.be/D45FN8QrzDo • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2020-35769
https://notcve.org/view.php?id=CVE-2020-35769
miniserv.pl in Webmin 1.962 on Windows mishandles special characters in query arguments to the CGI program. El archivo miniserv.pl en Webmin versión 1.962 en Windows, maneja inapropiadamente unos caracteres especiales en los argumentos de consulta para el programa CGI • https://github.com/webmin/webmin/commit/1163f3a7f418f249af64890f4636575e687e9de7#diff-9b33fd8f5603d4f0d1428689bc36f24af4770608a22c0d92b7a8bcc522450dc6 https://vigilance.fr/vulnerability/Webmin-code-execution-via-miniserv-pl-handle-request-34220 •
CVE-2020-35606 – Webmin 1.962 - 'Package Updates' Escape Bypass RCE
https://notcve.org/view.php?id=CVE-2020-35606
Arbitrary command execution can occur in Webmin through 1.962. Any user authorized for the Package Updates module can execute arbitrary commands with root privileges via vectors involving %0A and %0C. NOTE: this issue exists because of an incomplete fix for CVE-2019-12840. Una ejecución de comandos arbitraria puede ocurrir en Webmin versiones hasta 1.962. Cualquier usuario autorizado para el módulo Package Updates puede ejecutar comandos arbitrarios con privilegios root por medio de vectores que involucran %0A y %0C. • https://www.exploit-db.com/exploits/49318 http://packetstormsecurity.com/files/160676/Webmin-1.962-Remote-Command-Execution.html https://www.pentest.com.tr/exploits/Webmin-1962-PU-Escape-Bypass-Remote-Command-Execution.html https://www.webmin.com/download.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2020-12670
https://notcve.org/view.php?id=CVE-2020-12670
XSS exists in Webmin 1.941 and earlier affecting the Save function of the Read User Email Module / mailboxes Endpoint when attempting to save HTML emails. This module parses any output without sanitizing SCRIPT elements, as opposed to the View function, which sanitizes the input correctly. A malicious user can send any JavaScript payload into the message body and execute it if the user decides to save that email. Se presenta una vulnerabilidad de tipo XSS en Webmin versiones 1.941 y anteriores, afectando a la función Save del Endpoint Read User Email Module / mailboxes cuando se intenta guardar correos electrónicos HTML. Este módulo analiza cualquier salida sin sanear los elementos SCRIPT, a diferencia de la función View, que sanea la entrada correctamente. • https://www.webmin.com/security.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •