Esp0Xdeadbeef

**Name of the Vulnerable Software and Affected Versions** Webmin versions 1.991 and earlier **Description** The issue allows remote code execution when the Authentic theme is used and a user has been manually created. This occurs because the `settings-editor write.cgi` script does not properly restrict the `file` parameter, enabling less privileged users to modify arbitrary files with root privileges and run commands as root. **Recommendations** For Webmin versions 1.991 and earlier, as a temporary workaround, consider disabling the `settings-editor write.cgi` script until a patch is available. Restrict access to the Authentic theme to minimize the risk of exploitation. Avoid using the `file` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.