The Qualys Research Team discovered nine high and critical severity vulnerabilities in Webmin. The successful exploitation of cross-site scripting (XSS) vulnerabilities could cause severe damage to users and the overall security of the application.
Webmin is used to change and manage open-source applications like BIND DNS Server, Apache HTTP Server, PHP, MySQL, and many more, as well as operating system internals like users, disc quotas, services, and configuration files. Approximately 1,000,000 installs of Webmin are made each year worldwide for Unix-like servers and services.
The vulnerability exists in the Users Real name parameter. An attacker may perform remote code execution by inserting an XSS payload into the affected parameter while creating the new user.
The vulnerability was discovered in the Users and Groups functionality. It allows an attacker to store a malicious payload in the Group Name field while creating a new group. When viewing the user details, the stored XSS payload is executed within the context of the victim’s browser.
The vulnerability was discovered in the download functionality. It provides a crafted download path containing a malicious payload that may allow an attacker to inject arbitrary code. The code is then executed within the context of the victim’s browser while accessing the download link.
The XSS Bypass vulnerability critical severity vulnerability was discovered in the file upload functionality. Usually, the application restricts the upload of certain file types, such as .svg, .php, etc., and displays an error message if a prohibited file type is detected. An attacker may bypass the restrictions and inject malicious code by exploiting the vulnerability.
The Users and Groups functionality vulnerability occurs when an authenticated user adds a new user and inserts an XSS payload into the user’s real name while deleting the user.
The vulnerability was discovered in the Configuration settings of the system logs functionality. It allows an attacker to store an XSS payload in the configuration settings of specific log files. This will result in the execution of that payload whenever the affected log files are accessed.
The vulnerability was discovered in the System Logs Viewer functionality. It allows an attacker to store a malicious payload in the Configuration field, triggering the execution of the payload when saving the configuration or accessing the System Logs Viewer page.
These vulnerabilities affect Webmin version 2.021.
Customers must upgrade to Webmin version 2.100 to patch the vulnerability.
For more information about the mitigation, please refer to Webmin Security Advisory.
Qualys customers can scan their devices with QID 730861 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.