Stored Cross-Site Scripting (XSS) in the parameters "host", "desc", "group" and "newgroup" of the section "Webmin Servers Index" in webmin/webmin


Reported on

Sep 24th 2022


In Webmin version 2.001 it was identified in the "Webmin Servers Index" section that the data collected from the user in the "host", "desc", "group" and "newgroup" parameters is not properly sanitized thus allowing potential attackers to insert JavaScript code that enables exploitation of the Stored Cross-Site Scripting (XSS) vulnerability.

Proof of Concept

  • Go to the "Webmin Servers Index" section.
  • Click on the "Register a new server" button.
  • In the "Hostname or IP address" field insert the following payload:
  • Save the changes and the payload will be executed immediately.
  • Note: The payload inserted in the "group" and "newgroup" parameters will only be executed when editing the item.




This vulnerability allows attackers to steal relevant information, deface the website or direct users to malicious websites, and there is even the possibility of escalating the level of exploitation or more advanced attacks.

We are processing your report and will contact the webmin team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a exists a year ago
We have contacted a member of the webmin team and are waiting to hear back a year ago
webmin modified the Severity from Medium to None a year ago
webmin modified the Severity from None to Medium (5.3) a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
webmin validated this vulnerability a year ago
Juampa Rodríguez has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
webmin marked this as fixed in 2.002 with commit 2142ed a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Jamie Slome
a year ago


The researcher has requested a CVE for this report. Are you happy for us to assign and publish one for this report @maintainer?

to join this conversation