OS Command Injection in Webmin - #VU27865
Published: May 13, 2020
Webmin
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation when processing file names within the "/cpan/download.cgi" script. A remote authenticated user with permissions to install Perl modules can pass specially crafted data via the file name during file upload and execute arbitrary OS commands on the target system.