Medium severity6.1NVD Advisory· Published Oct 19, 2017· Updated May 13, 2026

CVE-2017-15646

Description

Webmin before 1.860 has XSS with resultant remote code execution. Under the 'Others/File Manager' menu, there is a 'Download from remote URL' option to download a file from a remote server. After setting up a malicious server, one can wait for a file download request and then send an XSS payload that will lead to Remote Code Execution, as demonstrated by an OS command in the value attribute of a name='cmd' input element.

Affected products

Webmin/Webmin
cpe:2.3:a:webmin:webmin:*:*:*:*:*:*:*:*
Range: <=1.850

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/webmin/webmin/commit/0c58892732ee7610a7abba5507614366d382c9c9nvdPatchThird Party Advisory
blogs.securiteam.com/index.php/archives/3430nvdExploitThird Party Advisory
www.webmin.com/changes.htmlnvdRelease NotesVendor Advisory
www.webmin.com/security.htmlnvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.007
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000