CVE-2017-15644

Name of the Vulnerable Software and Affected Versions Webmin version 1.850

Description A issue exists in the software, where an SSRF can be exploited via the PATH INFO to tunnel/link.cgi. This can be demonstrated by sending a GET request for "tunnel/link.cgi/http://INTRANET-IP:8000".

Recommendations For version 1.850, consider restricting access to the tunnel/link.cgi endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the PATH INFO to tunnel/link.cgi until a patch is available.