Vulnerability Note VU#381692

Webmin contains a cross-site scripting vulnerability

Original Release date: 14 Mar 2014 | Last revised: 14 Mar 2014

Overview

Webmin 1.670, and possibly earlier versions, contains a cross-site scripting vulnerability.

Description

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Webmin 1.670, and possibly earlier versions, contains a cross-site scripting vulnerability in the "search" parameter of the view.cgi page.

Impact

A remote attacker that is able to trick a user in to visiting a specially crafted URL may be able to conduct a cross-site scripting attack. This attack may result in information leakage, privilege escalation, and/or denial of service.

Solution

Apply an Update

Webmin 1.680 addresses this vulnerability.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
WebminAffected28 Feb 201414 Mar 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Temporal 3.4 E:POC/RL:OF/RC:C
Environmental 2.5 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to William Costa for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2014-0339
  • Date Public: 14 Mar 2014
  • Date First Published: 14 Mar 2014
  • Date Last Updated: 14 Mar 2014
  • Document Revision: 6

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.