CVE-2019-15107

CVE	CVE-2019-15107
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2019-08-16 03:15:00 UTC
Updated	2023-02-28 15:23:00 UTC
Description	An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.

EPSS: 0.944610000 probability, percentile 0.999940000 (date 2026-04-02)

CISA KEV: Listed on 2022-03-25; due 2022-04-15; ransomware use Unknown

Problem Types: CWE-78

Vendor	Webmin
Product	Webmin
Name	Webmin Command Injection Vulnerability
Required Action	Apply updates per vendor instructions.
Notes	https://nvd.nist.gov/vuln/detail/CVE-2019-15107

Type	Vendor	Product	Version	Update	Edition	Language
Application	Webmin	Webmin	All	All	All	All

Reference	Source	Link	Tags
Webmin	MISC	www.webmin.com	Vendor Advisory
Webmin 1.920 password_change.cgi Backdoor ≈ Packet Storm	MISC	packetstormsecurity.com	Exploit, Third Party Advisory
Webmin 1.920 Remote Code Execution ≈ Packet Storm	MISC	packetstormsecurity.com
AttackerKB \| Webmin password_change.cgi Command Injection	MISC	attackerkb.com
Webmin 1.920 Remote Command Execution ≈ Packet Storm	MISC	packetstormsecurity.com	Exploit, Third Party Advisory, VDB Entry
Pentest Blog - Self-Improvement to Ethical Hacking	MISC	www.pentest.com.tr	Exploit, Third Party Advisory
Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit) - Linux remote Exploit	MISC	www.exploit-db.com	Exploit, Third Party Advisory, VDB Entry
Webmin 1.920 Remote Command Execution ≈ Packet Storm	MISC	packetstormsecurity.com	Exploit, Third Party Advisory, VDB Entry
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis
CISA Known Exploited Vulnerabilities catalog	CISA	www.cisa.gov	kev

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.