CVE-2020-35606: OS Command Injection
First published: Mon Dec 21 2020(Updated: )
Arbitrary command execution can occur in Webmin through 1.962. Any user authorized for the Package Updates module can execute arbitrary commands with root privileges via vectors involving %0A and %0C. NOTE: this issue exists because of an incomplete fix for CVE-2019-12840.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Webmin Webmin | <=1.962 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2020-35606?
The severity of CVE-2020-35606 is critical with a severity value of 8.8.
How can arbitrary command execution occur in Webmin through version 1.962?
Arbitrary command execution can occur in Webmin through version 1.962 when any user authorized for the Package Updates module executes arbitrary commands with root privileges via vectors involving %0A and %0C.
Which users are affected by CVE-2020-35606?
Any user authorized for the Package Updates module in Webmin through version 1.962 is affected by CVE-2020-35606.
What is the impact of CVE-2020-35606?
The impact of CVE-2020-35606 is that an attacker with unauthorized access to the Package Updates module can execute arbitrary commands with root privileges, compromising the security of the system.
Is there a patch or fix available for CVE-2020-35606?
Yes, a patch or fix is available for CVE-2020-35606. It is recommended to update to a version of Webmin that includes the complete fix for CVE-2019-12840.
- collector/nvd-index
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/type
- agent/tags
- agent/event
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- vendor/webmin
- canonical/webmin webmin
- version/webmin webmin/1.962