VDB
CVE-2022-30708
CVE-2022-30708
PUBLISHED
CVSS 8.800000190734863 HIGH
Webmin through 1.991, when the Authentic theme is used, allows remote code execution when a user has been manually created (i.e., not created in Virtualmin or Cloudmin). This occurs because settings-editor_write.cgi does not properly restrict the file parameter.
EPSS 4.70% · 89.6th percentile
Risk Scores
CVSS 3.1
8.800000190734863
CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:U/UI:N
EPSS Score
4.70%
89.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| webmin | webmin | 0 |
| n/a | n/a | n/a |
Timeline
- May 15, 2022 EPSS Score
- May 15, 2022 CVE Published
- Aug 22, 2022 EPSS Score
- Oct 10, 2022 EPSS Score
- Jan 17, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Jun 13, 2023 EPSS Score
- Aug 1, 2023 EPSS Score
- Nov 8, 2023 EPSS Score
- Dec 27, 2023 EPSS Score
- Apr 3, 2024 EPSS Score
- May 22, 2024 EPSS Score
References
- https://github.com/webmin/webmin/issues/1635 url
- https://github.com/esp0xdeadbeef/rce_webmin url
- https://www.twitch.tv/videos/1483029790 url
- https://github.com/webmin/webmin/releases url
- https://github.com/webmin/authentic-theme/releases url
- https://webmin.com/changes.html url
- https://github.com/webmin/webmin/commit/6a2334bf8b27d55c7edf0b2825cd14f3f8a69d4d url
- https://github.com/esp0xdeadbeef/rce_webmin/blob/main/exploit.py url
- https://nvd.nist.gov/vuln/detail/CVE-2022-30708 advisory