Back to search
CVE-2022-30708
Published: May 15, 2022
Modified: Aug 3, 2024
PUBLISHED
CVSS v3.1
8.8
HIGH
Description
Webmin through 1.991, when the Authentic theme is used, allows remote code execution when a user has been manually created (i.e., not created in Virtualmin or Cloudmin). This occurs because settings-editor_write.cgi does not properly restrict the file parameter.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:U/UI:N
Attack Complexity
Low
Attack Vector
Network
Availability
High
Confidentiality
High
Integrity
High
Privileges Required
Low
Scope
Unchanged
User Interaction
None
References
https://github.com/webmin/webmin/issues/1635
x_refsource_MISC
https://github.com/esp0xdeadbeef/rce_webmin
x_refsource_MISC
https://www.twitch.tv/videos/1483029790
x_refsource_MISC
https://github.com/webmin/webmin/releases
x_refsource_MISC
https://github.com/webmin/authentic-theme/releases
x_refsource_MISC
https://webmin.com/changes.html
x_refsource_MISC
https://github.com/esp0xdeadbeef/rce_webmin/blob/main/exploit.py
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now