CVE-2023-38306

Name of the Vulnerable Software and Affected Versions Webmin version 2.021

Description A Cross-site Scripting (XSS) Bypass vulnerability was discovered in the file upload functionality of Webmin. Normally, the application restricts the upload of certain file types such as .svg, .php, etc., and displays an error message if a prohibited file type is detected. However, by following certain steps, an attacker can bypass these restrictions and inject malicious code. The vulnerability is related to the lack of protection of the web page structure, which can allow a remote attacker to conduct a cross-site scripting (XSS) attack.

Recommendations For Webmin version 2.021, as a temporary workaround, consider disabling the file upload functionality until a patch is available. Restrict access to the file upload module to minimize the risk of exploitation. Avoid using the file upload feature in the affected Webmin version until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.