Webmin through 1.991, when the Authentic theme is used, allows remote code execution when a user has been manually created (i.e., not created in Virtualmin or Cloudmin). This occurs because settings-editor_write.cgi does not properly restrict the file parameter.
References
Link | Resource |
---|---|
https://github.com/esp0xdeadbeef/rce_webmin | Exploit Third Party Advisory |
https://github.com/esp0xdeadbeef/rce_webmin/blob/main/exploit.py | Exploit Third Party Advisory |
https://github.com/webmin/authentic-theme/releases | Release Notes Third Party Advisory |
https://github.com/webmin/webmin/commit/6a2334bf8b27d55c7edf0b2825cd14f3f8a69d4d | Patch Third Party Advisory |
https://github.com/webmin/webmin/issues/1635 | Issue Tracking Third Party Advisory |
https://github.com/webmin/webmin/releases | Release Notes Third Party Advisory |
https://webmin.com/changes.html | Release Notes Vendor Advisory |
https://www.twitch.tv/videos/1483029790 | Exploit Third Party Advisory |
Configurations
History
24 May 2022, 17:19
Type | Values Removed | Values Added |
---|---|---|
First Time |
Webmin webmin
Webmin |
|
CPE | cpe:2.3:a:webmin:webmin:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : 6.5
v3 : 8.8 |
CWE | NVD-CWE-noinfo | |
References | (MISC) https://github.com/esp0xdeadbeef/rce_webmin - Exploit, Third Party Advisory | |
References | (MISC) https://github.com/webmin/webmin/commit/6a2334bf8b27d55c7edf0b2825cd14f3f8a69d4d - Patch, Third Party Advisory | |
References | (MISC) https://www.twitch.tv/videos/1483029790 - Exploit, Third Party Advisory | |
References | (MISC) https://github.com/webmin/authentic-theme/releases - Release Notes, Third Party Advisory | |
References | (MISC) https://webmin.com/changes.html - Release Notes, Vendor Advisory | |
References | (MISC) https://github.com/webmin/webmin/releases - Release Notes, Third Party Advisory | |
References | (MISC) https://github.com/esp0xdeadbeef/rce_webmin/blob/main/exploit.py - Exploit, Third Party Advisory | |
References | (MISC) https://github.com/webmin/webmin/issues/1635 - Issue Tracking, Third Party Advisory |
15 May 2022, 03:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-05-15 03:15
Updated : 2023-12-10 14:22
NVD link : CVE-2022-30708
Mitre link : CVE-2022-30708
CVE.ORG link : CVE-2022-30708
JSON object : View
Products Affected
webmin
- webmin
CWE