Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-0824: Foreign module may need a check · webmin/webmin@39ea464

Improper Access Control to Remote Code Execution in GitHub repository webmin/webmin prior to 1.990.

CVE
#web#git#rce

@@ -5144,7 +5144,8 @@ sub init_config

}

if ($module_name && !$main::no_acl_check &&

!defined($ENV{’FOREIGN_MODULE_NAME’}) &&

(!defined($ENV{’FOREIGN_MODULE_NAME’}) ||

defined($ENV{’FOREIGN_MODULE_SEC_CHECK’})) &&

$main::webmin_script_type eq ‘web’) {

Check if the HTTP user can access this module

if (!&foreign_available($module_name)) {

Related news

Webmin 1.984 File Manager Remote Code Execution

In Webmin version 1.984, any authenticated low privilege user without access rights to the File Manager module could interact with file manager functionalities such as downloading files from remote URLs and changing file permissions. It is possible to achieve remote code execution via a crafted .cgi file by chaining those functionalities in the file manager.

CVE-2022-36880: Webmin

The Read Mail module in Webmin 1.995 and Usermin through 1.850 allows XSS via a crafted HTML e-mail message.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907