CVSS: 9.9EPSS: 1%CPEs: 1EXPL: 0CVE-2024-12828 – Webmin CGI Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-12828
20 Dec 2024 — Webmin CGI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Webmin. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of CGI requests. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. • https://github.com/webmin/authentic-theme/commit/61e5b10227b50407e3c6ac494ffbd4385d1b59df • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-44762 – Usermin 2.100 Username Enumeration
https://notcve.org/view.php?id=CVE-2024-44762
16 Oct 2024 — A discrepancy in error messages for invalid login attempts in Webmin Usermin v2.100 allows attackers to enumerate valid user accounts. Una discrepancia en los mensajes de error de intentos de inicio de sesión no válidos en Webmin Usermin v2.100 permite a los atacantes enumerar cuentas de usuario válidas. Usermin versions 2.100 and below suffer from a username enumeration vulnerability. • https://packetstorm.news/files/id/190222 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-45692
https://notcve.org/view.php?id=CVE-2024-45692
04 Sep 2024 — Webmin before 2.202 and Virtualmin before 7.20.2 allow a network traffic loop via spoofed UDP packets on port 10000. • https://cispa.de/en/loop-dos • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-36453
https://notcve.org/view.php?id=CVE-2024-36453
10 Jul 2024 — Cross-site scripting vulnerability exists in session_login.cgi of Webmin versions prior to 1.970 and Usermin versions prior to 1.820. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the website using the product. As a result, a webpage may be altered or sensitive information such as a credential may be disclosed. Existe una vulnerabilidad de Cross Site Scripting en session_login.cgi de las versiones de Webmin anteriores a la 1.970 y de las ... • https://jvn.jp/en/jp/JVN81442045 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36452
https://notcve.org/view.php?id=CVE-2024-36452
10 Jul 2024 — Cross-site request forgery vulnerability exists in ajaxterm module of Webmin versions prior to 2.003. If this vulnerability is exploited, unintended operations may be performed when a user views a malicious page while logged in. As a result, data within a system may be referred, a webpage may be altered, or a server may be permanently halted. Existe una vulnerabilidad de Cross-site request forgery en el módulo ajaxterm de las versiones de Webmin anteriores a la 2.003. Si se explota esta vulnerabilidad, se p... • https://jvn.jp/en/jp/JVN81442045 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36451
https://notcve.org/view.php?id=CVE-2024-36451
10 Jul 2024 — Improper handling of insufficient permissions or privileges vulnerability exists in ajaxterm module of Webmin prior to 2.003. If this vulnerability is exploited, a console session may be hijacked by an unauthorized user. As a result, data within a system may be referred, a webpage may be altered, or a server may be permanently halted. Existe una vulnerabilidad de manejo incorrecto de permisos o privilegios insuficientes en el módulo ajaxterm de Webmin anterior a 2.003. Si se aprovecha esta vulnerabilidad, u... • https://jvn.jp/en/jp/JVN81442045 • CWE-280: Improper Handling of Insufficient Permissions or Privileges •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36450
https://notcve.org/view.php?id=CVE-2024-36450
10 Jul 2024 — Cross-site scripting vulnerability exists in sysinfo.cgi of Webmin versions prior to 1.910. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the website using the product. As a result, a session ID may be obtained, a webpage may be altered, or a server may be halted. Existe una vulnerabilidad de Cross Site Scripting en sysinfo.cgi de versiones de Webmin anteriores a la 1.910. Si se explota esta vulnerabilidad, se puede ejecutar un script arb... • https://jvn.jp/en/jp/JVN81442045 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-52046
https://notcve.org/view.php?id=CVE-2023-52046
25 Jan 2024 — Cross Site Scripting vulnerability (XSS) in webmin v.2.105 and earlier allows a remote attacker to execute arbitrary code via a crafted payload to the "Execute cron job as" tab Input field. Vulnerabilidad de cross site scripting (XSS) en webmin v.2.105 y versiones anteriores permite a un atacante remoto ejecutar código arbitrario a través de un payload manipulado en el campo de entrada de la pestaña "Execute cron job as". • https://github.com/Acklee/webadmin_xss/blob/main/xss.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-43309
https://notcve.org/view.php?id=CVE-2023-43309
21 Sep 2023 — There is a stored cross-site scripting (XSS) vulnerability in Webmin 2.002 and below via the Cluster Cron Job tab Input field, which allows attackers to run malicious scripts by injecting a specially crafted payload. Vulnerabilidad de Cross-Site Scripting (XSS) almacenado en Webmin 2.002 y versiones anteriores a través del archivo Cluster Cron Job tab Input, que permite a los atacantes ejecutar scripts maliciosos inyectando un payload manipulado. • https://github.com/TishaManandhar/Webmin_xss_POC/blob/main/XSS • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41157
https://notcve.org/view.php?id=CVE-2023-41157
16 Sep 2023 — Multiple stored cross-site scripting (XSS) vulnerabilities in Usermin 2.000 allow remote attackers to inject arbitrary web script or HTML via the folder name parameter while creating the folder to manage the folder tab, filter tab, and forward mail tab. Múltiples vulnerabilidades de Cross-Site Scripting (XSS) almacenado en Usermin 2.000 permiten a atacantes remotos inyectar scripts web o HTML arbitrarias a través del parámetro de "nombre de carpeta" mientras crean la carpeta para administrar la pestaña de c... • https://github.com/shindeanik/Usermin-2.000/blob/main/CVE-2023-41157 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •