CVE-2020-35606
HIGH WAF: High
CVSS 8.8
Published: 2020-12-21
CWE-78
Arbitrary command execution can occur in Webmin through 1.962. Any user authorized for the Package Updates module can execute arbitrary commands with root privileges via vectors involving %0A and %0C. NOTE: this issue exists because of an incomplete fix for CVE-2019-12840.
WAF Coverage Analysis
OS Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
Affected Software
| Vendor | Product | Version |
|---|---|---|
| webmin | webmin | up to 1.962 |
References
- packetstormsecurity.com (Exploit, Third Party Advisory, VDB Entry)
- www.exploit-db.com (Exploit, Third Party Advisory, VDB Entry)
- www.pentest.com.tr (Exploit, Third Party Advisory)
- www.webmin.com (Product)