Webmin version 1.890 suffers from a cross site scripting vulnerability.
6c0864db4d44c74ed081288ffd52c7cb
# Vulnerability type: Reflected Cross Site Scripting
# Vendor: <https://www.k2.com/> http://www.webmin.com/index.html
# Product: Webmin
# Affected version: 1.890
# Credit: Foo Jong Meng
# CVE ID: CVE- 2018-19191
# DESCRIPTION:
After logging into the webmin interface, attack can be launched by injecting
the XSS payload at the affected parameters. The XSS is noted in the
following webmin parameters https://x.x.x.x:10000/affected-parameters:
u /config.cgi?webmin (GET)
u /shell/index.cgi (POST) history parameter
u /shell/index.cgi?stripped=1 (POST)
u /webminlog/search.cgi (GET) uall and mall parameters
# SAMPLE PAYLOAD:
"<script>alert(0)</script>
<script>alert(%22%78%73%73%22)</script>abc
# PROOF OF CONCEPT:
1. Use a web proxy (i.e zapproxy, burp) to intercept the affected "GET" and
"POST" requests for:
https://x.x.x.x:10000/affected-parameters
2. Inject the XSS payload at the affected parameters.
3. The payload will be executed.
Developer has issued an updated version of webmin with the vulnerabilities
reported.