CVE-2018-8712

Name of the Vulnerable Software and Affected Versions Webmin versions 1.840 through 1.880

Description An issue was discovered due to weak default configuration settings, allowing limited users to have full access rights to the underlying Unix system files. This enables users to read sensitive data from the local system, such as the /etc/shadow file, via a "GET /syslog/save log.cgi?view=1&file=/etc/shadow" request.

Recommendations For Webmin versions 1.840 through 1.880, consider disabling the "Can view any file as a log file" setting to prevent limited users from accessing sensitive system files. As a temporary workaround, restrict access to the save log.cgi API endpoint to minimize the risk of exploitation.