CVE-2019-12840
Webmin 1.910 - 'Package Updates' Remote Command Execution
Severity Score
8.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
5
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
En Webmin hasta la versión 1.910, cualquier usuario autorizado al módulo “Package Updates” puede ejecutar un comando arbitrario con privilegios root a través de el parámetro data para update.cgi.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2019-06-11 CVE Published
- 2019-06-15 CVE Reserved
- 2021-09-19 First Exploit
- 2024-08-04 CVE Updated
- 2024-11-05 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CAPEC
References (8)
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/46984 | 2024-08-04 | |
| https://github.com/zAbuQasem/CVE-2019-12840 | 2021-09-19 | |
| https://github.com/WizzzStark/CVE-2019-12840.py | 2021-10-05 | |
| https://github.com/Pol-Ruiz/PoC-CVE-2019-12840 | 2024-01-25 | |
| https://pentest.com.tr/exploits/Webmin-1910-Package-Updates-Remote-Command-Execution.html | 2024-08-04 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|