The Qualys Research Team discovered nine high and critical severity vulnerabilities in Webmin. The successful exploitation of cross-site scripting (XSS) vulnerabilities could cause severe damage to users and the overall security of the application.
Webmin is used to change and manage open-source applications like BIND DNS Server, Apache HTTP Server, PHP, MySQL, and many more, as well as operating system internals like users, disc quotas, services, and configuration files. Approximately 1,000,000 installs of Webmin are made each year worldwide for Unix-like servers and services.
CVE-2023-38303
The vulnerability exists in the Users Real name parameter. An attacker may perform remote code execution by inserting an XSS payload into the affected parameter while creating the new user.
CVE-2023-38304
The vulnerability was discovered in the Users and Groups functionality. It allows an attacker to store a malicious payload in the Group Name field while creating a new group. When viewing the user details, the stored XSS payload is executed within the context of the victim’s browser.
CVE-2023-38305
The vulnerability was discovered in the download functionality. It provides a crafted download path containing a malicious payload that may allow an attacker to inject arbitrary code. The code is then executed within the context of the victim’s browser while accessing the download link.
CVE-2023-38306
The XSS Bypass vulnerability critical severity vulnerability was discovered in the file upload functionality. Usually, the application restricts the upload of certain file types, such as .svg, .php, etc., and displays an error message if a prohibited file type is detected. An attacker may bypass the restrictions and inject malicious code by exploiting the vulnerability.
CVE-2023-38307
The Users and Groups functionality vulnerability occurs when an authenticated user adds a new user and inserts an XSS payload into the user’s real name while deleting the user.
CVE-2023-38308
The vulnerability was discovered in the HTTP Tunnel functionality while handling third-party domain URLs. An attacker may inject malicious code by providing a crafted URL from a third-party domain. Successful exploitation of the vulnerability will lead to the execution of arbitrary JavaScript code within the context of the victim’s browser.
CVE-2023-38309
The reflected cross-site scripting (XSS) vulnerability was discovered in the package search functionality. The vulnerability allows an attacker to inject a malicious payload in the Search for Package field, which gets reflected in the application’s response. Successful exploitation of the vulnerability will lead to the execution of arbitrary JavaScript code within the context of the victim’s browser.
CVE-2023-38310
The vulnerability was discovered in the Configuration settings of the system logs functionality. It allows an attacker to store an XSS payload in the configuration settings of specific log files. This will result in the execution of that payload whenever the affected log files are accessed.
CVE-2023-38311
The vulnerability was discovered in the System Logs Viewer functionality. It allows an attacker to store a malicious payload in the Configuration field, triggering the execution of the payload when saving the configuration or accessing the System Logs Viewer page.
Affected versions
These vulnerabilities affect Webmin version 2.021.
Mitigation
Customers must upgrade to Webmin version 2.100 to patch the vulnerability.
For more information about the mitigation, please refer to Webmin Security Advisory.
Qualys Detection
Qualys customers can scan their devices with QID 730861 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://github.com/jaysharma786/Webmin-2.021
https://webmin.com/changelog/webmin-2.100-released/