Paul Stewart

**Name of the Vulnerable Software and Affected Versions** Webmin versions 1.840 through 1.880 **Description** An issue was discovered due to weak default configuration settings, allowing limited users to have full access rights to the underlying Unix system files. This enables users to read sensitive data from the local system, such as the `/etc/shadow` file, via a "GET /syslog/save log.cgi?view=1&file=/etc/shadow" request. **Recommendations** For Webmin versions 1.840 through 1.880, consider disabling the "Can view any file as a log file" setting to prevent limited users from accessing sensitive system files. As a temporary workaround, restrict access to the `save log.cgi` API endpoint to minimize the risk of exploitation.