search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Webmin contains a cross-site scripting vulnerability

Vulnerability Note VU#381692

Original Release Date: 2014-03-14 | Last Revised: 2014-03-14


Webmin 1.670, and possibly earlier versions, contains a cross-site scripting vulnerability.


CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Webmin 1.670, and possibly earlier versions, contains a cross-site scripting vulnerability in the "search" parameter of the view.cgi page.


A remote attacker that is able to trick a user in to visiting a specially crafted URL may be able to conduct a cross-site scripting attack. This attack may result in information leakage, privilege escalation, and/or denial of service.


Apply an Update

Webmin 1.680 addresses this vulnerability.

Vendor Information


Webmin Affected

Notified:  February 28, 2014 Updated: March 14, 2014



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Temporal 3.4 E:POC/RL:OF/RC:C
Environmental 2.5 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND



Thanks to William Costa for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2014-0339
Date Public: 2014-03-14
Date First Published: 2014-03-14
Date Last Updated: 2014-03-14 21:06 UTC
Document Revision: 7

Sponsored by CISA.