Jcameron

**Name of the Vulnerable Software and Affected Versions** Webmin versions prior to 1.870 **Description** The issue allows remote authenticated administrators to conduct cross-site scripting (XSS) attacks. This is achieved by exploiting the description field in the custom command functionality of the custom/run.cgi module. **Recommendations** For versions prior to 1.870, update to version 1.870 or later to resolve the issue. As a temporary workaround, consider restricting access to the custom command functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Webmin version 1.850 **Description** A CSRF issue exists, allowing an attacker to execute arbitrary commands by sending a GET request to the "at/create job.cgi" endpoint with specific parameters in the URI, such as `dir=/` and `cmd=`. **Recommendations** For Webmin version 1.850, as a temporary workaround, consider restricting access to the "at/create job.cgi" endpoint until a patch is available. Avoid using the `dir` and `cmd` parameters in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Webmin versions 1.590 and earlier **Description** The issue allows remote authenticated users to execute arbitrary Perl code via a crafted file associated with the `type` parameter, also referred to as the monitor type name. **Recommendations** For Webmin versions 1.590 and earlier, update to a version later than 1.590 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Webmin versions 1.590 and earlier **Description** The issue allows remote authenticated users to execute arbitrary commands via an invalid character in a pathname. This can be achieved by using a | (pipe) character in the file/show.cgi endpoint. **Recommendations** For Webmin versions 1.590 and earlier, consider restricting access to the file/show.cgi endpoint until a patch is available. As a temporary workaround, avoid using invalid characters, such as the | (pipe) character, in pathnames to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Webmin versions 1.590 and earlier **Description** The issue allows remote attackers to read arbitrary files without proper authorization. This is due to a lack of authorization check in the file/edit html.cgi component, which permits access to a file's unedited contents via the file field. **Recommendations** For versions 1.590 and earlier, update to a version later than 1.590 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Webmin versions 1.540 and earlier **Description** A cross-site scripting (XSS) issue allows local users to inject arbitrary web script or HTML via a chfn command that changes the real field, related to useradmin/index.cgi and useradmin/user-lib.pl. **Recommendations** For versions 1.540 and earlier, update to a version later than 1.540 to resolve the issue. As a temporary workaround, consider restricting access to the useradmin/index.cgi and useradmin/user-lib.pl files until a patch is available. Avoid using the chfn command to change the real field in the affected versions until the issue is resolved.