|
41
|
8.8
6.5
|
HIGH
Network
|
rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation stat…
|
CWE-94
Code Injection
|
CVE-2019-15642
|
cpe:2.3:a:webmin:webmin:*:*
|
|
1.920
|
|
|
2024-11-21 13:29
2019-08-27
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
42
|
6.5
6.8
|
MEDIUM
Network
|
xmlrpc.cgi in Webmin through 1.930 allows authenticated XXE attacks. By default, only root, admin, and sysadm can access xmlrpc.cgi.
|
CWE-611
XXE
|
CVE-2019-15641
|
cpe:2.3:a:webmin:webmin:*:*
|
|
1.930
|
|
|
2024-11-21 13:29
2019-08-27
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
43
|
9.8
10.0
|
CRITICAL
Network
|
An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.
|
CWE-78
OS Command
|
CVE-2019-15107
|
cpe:2.3:a:webmin:webmin:*:*
|
|
1.920
|
|
|
2024-11-21 13:28
2019-08-16
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
44
|
8.8
9.0
|
HIGH
Network
|
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
|
CWE-78
OS Command
|
CVE-2019-12840
|
cpe:2.3:a:webmin:webmin:*:*
|
|
1.910
|
|
|
2024-11-21 13:23
2019-06-16
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
45
|
5.4
3.5
|
MEDIUM
Network
|
Webmin 1.890 has XSS via /config.cgi?webmin, the /shell/index.cgi history parameter, /shell/index.cgi?stripped=1, or the /webminlog/search.cgi uall or mall parameter.
|
CWE-79
Cross-site Scripting
|
CVE-2018-19191
|
cpe:2.3:a:webmin:webmin:1.890:*
|
|
|
|
|
2024-11-21 12:57
2019-03-22
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
46
|
7.8
6.8
|
HIGH
Local
|
Webmin 1.900 allows remote attackers to execute arbitrary code by leveraging the "Java file manager" and "Upload and Download" privileges to upload a crafted .cgi file via the /updown/upload.cgi URI.
|
CWE-269
Improper Privilege Management
|
CVE-2019-9624
|
cpe:2.3:a:webmin:webmin:1.900:*
|
|
|
|
|
2024-11-21 13:51
2019-03-7
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
47
|
9.8
5.0
|
CRITICAL
Network
|
An issue was discovered in Webmin 1.840 and 1.880 when the default Yes setting of "Can view any file as a log file" is enabled. As a result of weak default configuration settings, limited users have …
|
CWE-22
Path Traversal
|
CVE-2018-8712
|
cpe:2.3:a:webmin:webmin:1.880:*
cpe:2.3:a:webmin:webmin:1.840:*
|
|
|
|
|
2024-11-21 13:14
2018-03-15
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
48
|
4.8
3.5
|
MEDIUM
Network
|
custom/run.cgi in Webmin before 1.870 allows remote authenticated administrators to conduct XSS attacks via the description field in the custom command functionality.
|
CWE-79
Cross-site Scripting
|
CVE-2017-17089
|
cpe:2.3:a:webmin:webmin:*:*
|
|
1.860
|
|
|
2024-11-21 12:17
2017-12-31
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
49
|
6.1
4.3
|
MEDIUM
Network
|
Webmin before 1.860 has XSS with resultant remote code execution. Under the 'Others/File Manager' menu, there is a 'Download from remote URL' option to download a file from a remote server. After set…
|
CWE-79
Cross-site Scripting
|
CVE-2017-15646
|
cpe:2.3:a:webmin:webmin:*:*
|
|
1.850
|
|
|
2024-11-21 12:14
2017-10-20
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
50
|
8.8
6.8
|
HIGH
Network
|
CSRF exists in Webmin 1.850. By sending a GET request to at/create_job.cgi containing dir=/&cmd= in the URI, an attacker to execute arbitrary commands.
|
CWE-352
Origin Validation Error
|
CVE-2017-15645
|
cpe:2.3:a:webmin:webmin:*:*
|
|
1.850
|
|
|
2024-11-21 12:14
2017-10-20
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|