Main Vulnerability Database Vulnerabilities #VU27865

#VU27865 OS Command Injection in Webmin

Published: May 13, 2020

Vulnerability identifier: #VU27865

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green

CVE-ID: N/A

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Webmin

Software vendor:
Webmin

Description

The vulnerability allows a remote user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation when processing file names within the "/cpan/download.cgi" script. A remote authenticated user with permissions to install Perl modules can pass specially crafted data via the file name during file upload and execute arbitrary OS commands on the target system.

Remediation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

External links

https://seclists.org/fulldisclosure/2020/May/24

#VU27865 OS Command Injection in Webmin

Description

Remediation

External links

Please verify you're human