Stored Cross-Site Scripting (XSS) in the parameters "host", "desc", "group" and "newgroup" of the section "Webmin Servers Index" in webmin/webmin
Sep 24th 2022
Proof of Concept
- Go to the "Webmin Servers Index" section.
- Click on the "Register a new server" button.
- In the "Hostname or IP address" field insert the following payload:
- Save the changes and the payload will be executed immediately.
- Note: The payload inserted in the "group" and "newgroup" parameters will only be executed when editing the item.
This vulnerability allows attackers to steal relevant information, deface the website or direct users to malicious websites, and there is even the possibility of escalating the level of exploitation or more advanced attacks.