Webmin
by Webmin
Source repositories
CVEs (103)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-38308 | 0.00 | — | 0.01 | Jul 31, 2023 | An issue was discovered in Webmin 2.021. A Cross-Site Scripting (XSS) vulnerability was discovered in the HTTP Tunnel functionality when handling third-party domain URLs. By providing a crafted URL from a third-party domain, an attacker can inject malicious code. leading to the… | |||
| CVE-2023-38311 | 0.00 | — | 0.00 | Jul 31, 2023 | An issue was discovered in Webmin 2.021. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the System Logs Viewer functionality. The vulnerability allows an attacker to store a malicious payload in the configuration field, triggering the execution of the… | |||
| CVE-2022-3844 | 0.00 | — | 0.01 | Nov 2, 2022 | A vulnerability, which was classified as problematic, was found in Webmin 2.001. Affected is an unknown function of the file xterm/index.cgi. The manipulation leads to basic cross site scripting. It is possible to launch the attack remotely. Upgrading to version 2.003 is able to… | |||
| CVE-2022-36880 | 0.00 | — | 0.01 | Jul 27, 2022 | The Read Mail module in Webmin 1.995 and Usermin through 1.850 allows XSS via a crafted HTML e-mail message. | |||
| CVE-2022-30708 | 0.00 | — | 0.03 | May 15, 2022 | Webmin through 1.991, when the Authentic theme is used, allows remote code execution when a user has been manually created (i.e., not created in Virtualmin or Cloudmin). This occurs because settings-editor_write.cgi does not properly restrict the file parameter. | |||
| CVE-2022-0829 | 0.00 | — | 0.01 | Mar 2, 2022 | Improper Authorization in GitHub repository webmin/webmin prior to 1.990. | |||
| CVE-2020-35769 | 0.00 | — | 0.02 | Dec 29, 2020 | miniserv.pl in Webmin 1.962 on Windows mishandles special characters in query arguments to the CGI program. | |||
| CVE-2020-12670 | 0.00 | — | 0.01 | Oct 12, 2020 | XSS exists in Webmin 1.941 and earlier affecting the Save function of the Read User Email Module / mailboxes Endpoint when attempting to save HTML emails. This module parses any output without sanitizing SCRIPT elements, as opposed to the View function, which sanitizes the input… | |||
| CVE-2020-8821 | 0.00 | — | 0.82 | Oct 12, 2020 | An Improper Data Validation Vulnerability exists in Webmin 1.941 and earlier affecting the Command Shell Endpoint. A user may enter HTML code into the Command field and submit it. Then, after visiting the Action Logs Menu and displaying logs, the HTML code will be rendered… | |||
| CVE-2020-8820 | 0.00 | — | 0.01 | Oct 12, 2020 | An XSS Vulnerability exists in Webmin 1.941 and earlier affecting the Cluster Shell Commands Endpoint. A user may enter any XSS Payload into the Command field and execute it. Then, after revisiting the Cluster Shell Commands Menu, the XSS Payload will be rendered and executed. | |||
| CVE-2019-15641 | 0.00 | — | 0.01 | Aug 26, 2019 | xmlrpc.cgi in Webmin through 1.930 allows authenticated XXE attacks. By default, only root, admin, and sysadm can access xmlrpc.cgi. | |||
| CVE-2018-19191 | 0.00 | — | 0.40 | Mar 17, 2019 | Webmin 1.890 has XSS via /config.cgi?webmin, the /shell/index.cgi history parameter, /shell/index.cgi?stripped=1, or the /webminlog/search.cgi uall or mall parameter. | |||
| CVE-2015-1377 | 0.00 | — | 0.00 | Feb 10, 2015 | The Read Mail module in Webmin 1.720 allows local users to read arbitrary files via a symlink attack on an unspecified file. | |||
| CVE-2014-3886 | 0.00 | — | 0.01 | Jul 20, 2014 | Cross-site scripting (XSS) vulnerability in Webmin before 1.690, when referrer checking is disabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this might overlap CVE-2014-3924. | |||
| CVE-2014-3885 | 0.00 | — | 0.01 | Jul 20, 2014 | Cross-site scripting (XSS) vulnerability in Webmin before 1.690 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. NOTE: this might overlap CVE-2014-3924. | |||
| CVE-2014-3924 | 0.00 | — | 0.01 | May 30, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in Webmin before 1.690 and Usermin before 1.600 allow remote attackers to inject arbitrary web script or HTML via vectors related to popup windows. | |||
| CVE-2014-0339 | 0.00 | — | 0.02 | Mar 16, 2014 | Cross-site scripting (XSS) vulnerability in view.cgi in Webmin before 1.680 allows remote attackers to inject arbitrary web script or HTML via the search parameter. | |||
| CVE-2012-4893 | 0.00 | — | 0.01 | Sep 11, 2012 | Multiple cross-site request forgery (CSRF) vulnerabilities in file/show.cgi in Webmin 1.590 and earlier allow remote attackers to hijack the authentication of privileged users for requests that (1) read files or execute (2) tar, (3) zip, or (4) gzip commands, a different issue… | |||
| CVE-2012-2983 | 0.00 | — | 0.20 | Sep 11, 2012 | file/edit_html.cgi in Webmin 1.590 and earlier does not perform an authorization check before showing a file's unedited contents, which allows remote attackers to read arbitrary files via the file field. | |||
| CVE-2012-2981 | 0.00 | — | 0.02 | Sep 11, 2012 | Webmin 1.590 and earlier allows remote authenticated users to execute arbitrary Perl code via a crafted file associated with the type (aka monitor type name) parameter. |
- CVE-2023-38308Jul 31, 2023risk 0.00cvss —epss 0.01
An issue was discovered in Webmin 2.021. A Cross-Site Scripting (XSS) vulnerability was discovered in the HTTP Tunnel functionality when handling third-party domain URLs. By providing a crafted URL from a third-party domain, an attacker can inject malicious code. leading to the…
- CVE-2023-38311Jul 31, 2023risk 0.00cvss —epss 0.00
An issue was discovered in Webmin 2.021. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the System Logs Viewer functionality. The vulnerability allows an attacker to store a malicious payload in the configuration field, triggering the execution of the…
- CVE-2022-3844Nov 2, 2022risk 0.00cvss —epss 0.01
A vulnerability, which was classified as problematic, was found in Webmin 2.001. Affected is an unknown function of the file xterm/index.cgi. The manipulation leads to basic cross site scripting. It is possible to launch the attack remotely. Upgrading to version 2.003 is able to…
- CVE-2022-36880Jul 27, 2022risk 0.00cvss —epss 0.01
The Read Mail module in Webmin 1.995 and Usermin through 1.850 allows XSS via a crafted HTML e-mail message.
- CVE-2022-30708May 15, 2022risk 0.00cvss —epss 0.03
Webmin through 1.991, when the Authentic theme is used, allows remote code execution when a user has been manually created (i.e., not created in Virtualmin or Cloudmin). This occurs because settings-editor_write.cgi does not properly restrict the file parameter.
- CVE-2022-0829Mar 2, 2022risk 0.00cvss —epss 0.01
Improper Authorization in GitHub repository webmin/webmin prior to 1.990.
- CVE-2020-35769Dec 29, 2020risk 0.00cvss —epss 0.02
miniserv.pl in Webmin 1.962 on Windows mishandles special characters in query arguments to the CGI program.
- CVE-2020-12670Oct 12, 2020risk 0.00cvss —epss 0.01
XSS exists in Webmin 1.941 and earlier affecting the Save function of the Read User Email Module / mailboxes Endpoint when attempting to save HTML emails. This module parses any output without sanitizing SCRIPT elements, as opposed to the View function, which sanitizes the input…
- CVE-2020-8821Oct 12, 2020risk 0.00cvss —epss 0.82
An Improper Data Validation Vulnerability exists in Webmin 1.941 and earlier affecting the Command Shell Endpoint. A user may enter HTML code into the Command field and submit it. Then, after visiting the Action Logs Menu and displaying logs, the HTML code will be rendered…
- CVE-2020-8820Oct 12, 2020risk 0.00cvss —epss 0.01
An XSS Vulnerability exists in Webmin 1.941 and earlier affecting the Cluster Shell Commands Endpoint. A user may enter any XSS Payload into the Command field and execute it. Then, after revisiting the Cluster Shell Commands Menu, the XSS Payload will be rendered and executed.
- CVE-2019-15641Aug 26, 2019risk 0.00cvss —epss 0.01
xmlrpc.cgi in Webmin through 1.930 allows authenticated XXE attacks. By default, only root, admin, and sysadm can access xmlrpc.cgi.
- CVE-2018-19191Mar 17, 2019risk 0.00cvss —epss 0.40
Webmin 1.890 has XSS via /config.cgi?webmin, the /shell/index.cgi history parameter, /shell/index.cgi?stripped=1, or the /webminlog/search.cgi uall or mall parameter.
- CVE-2015-1377Feb 10, 2015risk 0.00cvss —epss 0.00
The Read Mail module in Webmin 1.720 allows local users to read arbitrary files via a symlink attack on an unspecified file.
- CVE-2014-3886Jul 20, 2014risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Webmin before 1.690, when referrer checking is disabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this might overlap CVE-2014-3924.
- CVE-2014-3885Jul 20, 2014risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Webmin before 1.690 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. NOTE: this might overlap CVE-2014-3924.
- CVE-2014-3924May 30, 2014risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Webmin before 1.690 and Usermin before 1.600 allow remote attackers to inject arbitrary web script or HTML via vectors related to popup windows.
- CVE-2014-0339Mar 16, 2014risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in view.cgi in Webmin before 1.680 allows remote attackers to inject arbitrary web script or HTML via the search parameter.
- CVE-2012-4893Sep 11, 2012risk 0.00cvss —epss 0.01
Multiple cross-site request forgery (CSRF) vulnerabilities in file/show.cgi in Webmin 1.590 and earlier allow remote attackers to hijack the authentication of privileged users for requests that (1) read files or execute (2) tar, (3) zip, or (4) gzip commands, a different issue…
- CVE-2012-2983Sep 11, 2012risk 0.00cvss —epss 0.20
file/edit_html.cgi in Webmin 1.590 and earlier does not perform an authorization check before showing a file's unedited contents, which allows remote attackers to read arbitrary files via the file field.
- CVE-2012-2981Sep 11, 2012risk 0.00cvss —epss 0.02
Webmin 1.590 and earlier allows remote authenticated users to execute arbitrary Perl code via a crafted file associated with the type (aka monitor type name) parameter.
Page 4 of 6