CVSS: 9.0EPSS: 86%CPEs: 1EXPL: 5CVE-2020-35606 – Webmin 1.962 - 'Package Updates' Escape Bypass RCE
https://notcve.org/view.php?id=CVE-2020-35606
21 Dec 2020 — Arbitrary command execution can occur in Webmin through 1.962. Any user authorized for the Package Updates module can execute arbitrary commands with root privileges via vectors involving %0A and %0C. NOTE: this issue exists because of an incomplete fix for CVE-2019-12840. Una ejecución de comandos arbitraria puede ocurrir en Webmin versiones hasta 1.962. Cualquier usuario autorizado para el módulo Package Updates puede ejecutar comandos arbitrarios con privilegios root por medio de vectores que involu... • https://packetstorm.news/files/id/160676 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-12670
https://notcve.org/view.php?id=CVE-2020-12670
12 Oct 2020 — XSS exists in Webmin 1.941 and earlier affecting the Save function of the Read User Email Module / mailboxes Endpoint when attempting to save HTML emails. This module parses any output without sanitizing SCRIPT elements, as opposed to the View function, which sanitizes the input correctly. A malicious user can send any JavaScript payload into the message body and execute it if the user decides to save that email. Se presenta una vulnerabilidad de tipo XSS en Webmin versiones 1.941 y anteriores, afectando a ... • https://www.webmin.com/security.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 2%CPEs: 1EXPL: 0CVE-2020-8821
https://notcve.org/view.php?id=CVE-2020-8821
12 Oct 2020 — An Improper Data Validation Vulnerability exists in Webmin 1.941 and earlier affecting the Command Shell Endpoint. A user may enter HTML code into the Command field and submit it. Then, after visiting the Action Logs Menu and displaying logs, the HTML code will be rendered (however, JavaScript is not executed). Changes are kept across users. Se presenta una vulnerabilidad de Comprobación de Datos Inapropiada en Webmin versiones 1.941 y anteriores, afectando al Endpoint Command Shell. • https://www.webmin.com/security.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-8820
https://notcve.org/view.php?id=CVE-2020-8820
12 Oct 2020 — An XSS Vulnerability exists in Webmin 1.941 and earlier affecting the Cluster Shell Commands Endpoint. A user may enter any XSS Payload into the Command field and execute it. Then, after revisiting the Cluster Shell Commands Menu, the XSS Payload will be rendered and executed. Se presenta una vulnerabilidad de tipo XSS en Webmin versiones 1.941 y anteriores, afectando al Endpoint Cluster Shell Commands. Un usuario puede ingresar cualquier Carga Útil XSS en el campo Command y ejecutarlo. • https://www.webmin.com/security.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 91%CPEs: 1EXPL: 2CVE-2019-15642
https://notcve.org/view.php?id=CVE-2019-15642
26 Aug 2019 — rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users." rpc.cgi en Webmin hasta la version 1.920 permite la ejecución remota de código autenticada a través de un nombre de objeto diseñado porque unserialise_variable realiza... • https://github.com/jas502n/CVE-2019-15642 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-15641
https://notcve.org/view.php?id=CVE-2019-15641
26 Aug 2019 — xmlrpc.cgi in Webmin through 1.930 allows authenticated XXE attacks. By default, only root, admin, and sysadm can access xmlrpc.cgi. xmlrpc.cgi en Webmin a través de 1.930 permite ataques XXE autenticados. De forma predeterminada, solo root, admin y sysadm pueden tener acceso a xmlrpc.cgi. • https://www.calypt.com/blog/index.php/authenticated-xxe-on-webmin • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 10.0EPSS: 94%CPEs: 1EXPL: 44CVE-2019-15107 – Webmin Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2019-15107
16 Aug 2019 — An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability. Se ha detectado un problema en Webmin menor o igual a la versión 1.920. El parámetro old en password_change.cgi contiene una vulnerabilidad de inyección de comandos. An issue was discovered in Webmin. • https://packetstorm.news/files/id/154141 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 87%CPEs: 1EXPL: 9CVE-2019-12840 – Webmin 1.910 - 'Package Updates' Remote Command Execution
https://notcve.org/view.php?id=CVE-2019-12840
11 Jun 2019 — In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi. En Webmin hasta la versión 1.910, cualquier usuario autorizado al módulo “Package Updates” puede ejecutar un comando arbitrario con privilegios root a través de el parámetro data para update.cgi. • https://packetstorm.news/files/id/153372 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 51%CPEs: 1EXPL: 2CVE-2019-9624 – Webmin 1.900 - Remote Command Execution
https://notcve.org/view.php?id=CVE-2019-9624
07 Mar 2019 — Webmin 1.900 allows remote attackers to execute arbitrary code by leveraging the "Java file manager" and "Upload and Download" privileges to upload a crafted .cgi file via the /updown/upload.cgi URI. Webmin 1.900 permite a los atacantes remotos ejecutar código arbitrario, aprovechando los privilegios "Java file manager" y "Upload and Download" para subir un archivo .cgi manipulado mediante el URI /updown/upload.cgi. • https://www.exploit-db.com/exploits/46201 • CWE-269: Improper Privilege Management •
CVSS: 5.4EPSS: 1%CPEs: 1EXPL: 2CVE-2018-19191 – Webmin 1.890 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-19191
15 Jan 2019 — Webmin 1.890 has XSS via /config.cgi?webmin, the /shell/index.cgi history parameter, /shell/index.cgi?stripped=1, or the /webminlog/search.cgi uall or mall parameter. Webmin 1.890 tiene Cross-Site Scripting (XSS) mediante /config.cgi?webmin, el parámetro history en /shell/index.cgi, /shell/index.cgi? • https://packetstorm.news/files/id/151144 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •