Vulnerability Note VU#381692
Webmin contains a cross-site scripting vulnerability
Overview
Webmin 1.670, and possibly earlier versions, contains a cross-site scripting vulnerability.
Description
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Webmin 1.670, and possibly earlier versions, contains a cross-site scripting vulnerability in the "search" parameter of the view.cgi page. |
Impact
A remote attacker that is able to trick a user in to visiting a specially crafted URL may be able to conduct a cross-site scripting attack. This attack may result in information leakage, privilege escalation, and/or denial of service. |
Solution
Apply an Update |
Vendor Information (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Webmin | Affected | 28 Feb 2014 | 14 Mar 2014 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | 4.3 | AV:N/AC:M/Au:N/C:N/I:P/A:N |
| Temporal | 3.4 | E:POC/RL:OF/RC:C |
| Environmental | 2.5 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
Credit
Thanks to William Costa for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
- CVE IDs: CVE-2014-0339
- Date Public: 14 Mar 2014
- Date First Published: 14 Mar 2014
- Date Last Updated: 14 Mar 2014
- Document Revision: 6
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.