First published: Wed Mar 14 2018(Updated: )
An issue was discovered in Webmin 1.840 and 1.880 when the default Yes setting of "Can view any file as a log file" is enabled. As a result of weak default configuration settings, limited users have full access rights to the underlying Unix system files, allowing the user to read sensitive data from the local system (using Local File Include) such as the '/etc/shadow' file via a "GET /syslog/save_log.cgi?view=1&file=/etc/shadow" request.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Webmin Webmin | =1.840 | |
Webmin Webmin | =1.880 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-8712 is a vulnerability in Webmin versions 1.840 and 1.880 that allows limited users to have full access to underlying Unix system files.
CVE-2018-8712 has a severity rating of 9.8, which is classified as critical.
Webmin versions 1.840 and 1.880 are affected by CVE-2018-8712.
The Common Weakness Enumeration (CWE) for CVE-2018-8712 is CWE-22.
Yes, it is recommended to update to a fixed version of Webmin to address the vulnerability.