CVE-2022-30708
Summary
| CVE | CVE-2022-30708 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-05-15 03:15:00 UTC |
| Updated | 2022-05-24 17:19:00 UTC |
| Description | Webmin through 1.991, when the Authentic theme is used, allows remote code execution when a user has been manually created (i.e., not created in Virtualmin or Cloudmin). This occurs because settings-editor_write.cgi does not properly restrict the file parameter. |
Risk And Classification
Problem Types: NVD-CWE-noinfo
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Factor out check for root-ish user into a separate function https://g… · webmin/webmin@6a2334b · GitHub | MISC | github.com | |
| Releases · webmin/webmin · GitHub | MISC | github.com | |
| Webmin | MISC | webmin.com | |
| GitHub - esp0xdeadbeef/rce_webmin: RCE and privilege escalation webmin version 1.991 | MISC | github.com | |
| rce_webmin/exploit.py at main · esp0xdeadbeef/rce_webmin · GitHub | MISC | github.com | |
| Twitch | MISC | www.twitch.tv | |
| RCE and privesc on safe user · Issue #1635 · webmin/webmin · GitHub | MISC | github.com | |
| Releases · webmin/authentic-theme · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 730500 Webmin Privilege Escalation Vulnerability