JVN#81442045
Multiple vulnerabilities in multiple Webmin products

Overview

Multiple Webmin products contain multiple vulnerabilities.

Products Affected

CVE-2024-36450

• Webmin versions prior to 1.910

• Webmin versions prior to 1.970
• Usermin versions prior to 1.820

• Webmin versions prior to 2.003

Description

Multiple Webmin products contain multiple vulnerabilities listed below.

• sysinfo.cgi is vulnerable to cross-site scripting (CWE-79)
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score 6.1
  • CVE-2024-36450
• session_login.cgi is vulnerable to cross-site scripting (CWE-79)
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score 6.1
  • CVE-2024-36453
• ajaxterm module is vulnerable to improper handling of insufficient permissions or privileges (CWE-280)
  • CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score 8.8
  • CVE-2024-36451
• ajaxterm module is vulnerable to cross-site request forgery (CWE-352)
  • CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score 3.1
  • CVE-2024-36452

Impact

• An arbitrary script may be executed on the web browser of the user who accessed the website using the product (CVE-2024-36450, CVE-2024-36453)
• Console session may be hijacked by an unauthorized user (CVE-2024-36451)
• If a user views a malicious page while logged in, unintended operations may be performed (CVE-2024-36452)

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.