CVE-2022-30708
First published: Sun May 15 2022(Updated: )
Webmin through 1.991, when the Authentic theme is used, allows remote code execution when a user has been manually created (i.e., not created in Virtualmin or Cloudmin). This occurs because settings-editor_write.cgi does not properly restrict the file parameter.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Webmin Webmin | <=1.991 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/esp0xdeadbeef/rce_webmin
- https://github.com/esp0xdeadbeef/rce_webmin/blob/main/exploit.py
- https://github.com/webmin/authentic-theme/releases
- https://github.com/webmin/webmin/commit/6a2334bf8b27d55c7edf0b2825cd14f3f8a69d4d
- https://github.com/webmin/webmin/issues/1635
- https://github.com/webmin/webmin/releases
- https://webmin.com/changes.html
- https://www.twitch.tv/videos/1483029790
Frequently Asked Questions
What is CVE-2022-30708?
CVE-2022-30708 is a vulnerability in Webmin through version 1.991 that allows remote code execution.
What is the severity of CVE-2022-30708?
The severity of CVE-2022-30708 is high, with a severity value of 8.8.
Which version of Webmin is affected by CVE-2022-30708?
Webmin versions up to and including 1.991 are affected by CVE-2022-30708.
How does CVE-2022-30708 allow remote code execution?
CVE-2022-30708 allows remote code execution when a user has been manually created in Webmin using the Authentic theme.
Is there a fix for CVE-2022-30708?
Yes, updating Webmin to a version beyond 1.991 can fix the CVE-2022-30708 vulnerability.
- collector/nvd-index
- agent/references
- agent/severity
- vendor/webmin
- canonical/webmin webmin
- version/webmin webmin/1.991