Stored Cross-Site Scripting (XSS) in the parameters "host", "desc", "group" and "newgroup" of the section "Webmin Servers Index" in webmin/webmin

Valid

Reported on

Sep 24th 2022


Description

In Webmin version 2.001 it was identified in the "Webmin Servers Index" section that the data collected from the user in the "host", "desc", "group" and "newgroup" parameters is not properly sanitized thus allowing potential attackers to insert JavaScript code that enables exploitation of the Stored Cross-Site Scripting (XSS) vulnerability.

Proof of Concept

  • Go to the "Webmin Servers Index" section.
  • Click on the "Register a new server" button.
  • In the "Hostname or IP address" field insert the following payload:
"><script>alert('XSS')</script>
  • Save the changes and the payload will be executed immediately.
  • Note: The payload inserted in the "group" and "newgroup" parameters will only be executed when editing the item.

Evidences

PoC

https://drive.google.com/file/d/1fPl1-IeNWqOidqv3wiBXc2Ych9vYK_3W/view

Impact

This vulnerability allows attackers to steal relevant information, deface the website or direct users to malicious websites, and there is even the possibility of escalating the level of exploitation or more advanced attacks.

We are processing your report and will contact the webmin team within 24 hours. 2 months ago
We have contacted a member of the webmin team and are waiting to hear back 2 months ago
webmin modified the Severity from Medium to None 2 months ago
webmin modified the Severity from None to Medium (5.3) 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
webmin validated this vulnerability 2 months ago
Juampa Rodríguez has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
webmin marked this as fixed in 2.002 with commit 2142ed 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Jamie Slome
2 months ago

Admin


The researcher has requested a CVE for this report. Are you happy for us to assign and publish one for this report @maintainer?

to join this conversation