CVE-2022-30708

Name of the Vulnerable Software and Affected Versions Webmin versions 1.991 and earlier

Description The issue allows remote code execution when the Authentic theme is used and a user has been manually created. This occurs because the settings-editor write.cgi script does not properly restrict the file parameter, enabling less privileged users to modify arbitrary files with root privileges and run commands as root.

Recommendations For Webmin versions 1.991 and earlier, as a temporary workaround, consider disabling the settings-editor write.cgi script until a patch is available. Restrict access to the Authentic theme to minimize the risk of exploitation. Avoid using the file parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.