Loïc

**Name of the Vulnerable Software and Affected Versions** Webmin versions prior to 1.931 **Description** The issue allows authenticated XXE attacks through the xmlrpc.cgi module. By default, access to xmlrpc.cgi is restricted to root, admin, and sysadm users. **Recommendations** For versions prior to 1.931, update to version 1.931 or later to resolve the issue. As a temporary workaround, consider restricting access to the xmlrpc.cgi module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Webmin versions prior to 1.920 **Description** The issue allows authenticated remote code execution via a crafted object name. This is because the `unserialise variable` function makes an `eval` call. It's noted that RPC can be used to run any command or modify any file on a server, emphasizing the importance of restricting access to trusted Webmin users. **Recommendations** For versions prior to 1.920, update to version 1.920 or later to resolve the issue. As a temporary workaround, consider restricting access to the RPC functionality to minimize the risk of exploitation.