ZDI-CAN-22346: ZDI-24-1725: Webmin CGI Command Injection Remote Code Execution Vulnerability
First published: Fri Dec 20 2024(Updated: )
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Webmin. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of CGI requests. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Webmin |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of ZDI-CAN-22346?
The severity of ZDI-CAN-22346 is critical due to the potential for remote code execution.
How do I fix ZDI-CAN-22346?
To fix ZDI-CAN-22346, ensure that you update Webmin to the latest patched version.
What components does ZDI-CAN-22346 affect?
ZDI-CAN-22346 affects installations of Webmin, specifically in handling CGI requests.
Is authentication required to exploit ZDI-CAN-22346?
Yes, authentication is required to exploit the ZDI-CAN-22346 vulnerability.
Can ZDI-CAN-22346 lead to data breaches?
Yes, if exploited, ZDI-CAN-22346 can allow remote attackers to execute arbitrary code, potentially leading to data breaches.
- collector/zdi-published
- source/ZDI
- alias/ZDI-CAN-22346
- agent/last-modified-date
- agent/title
- agent/type
- agent/first-publish-date
- agent/severity
- agent/references
- agent/softwarecombine
- agent/description
- agent/source
- agent/tags
- collector/zdi-advisory
- alias/ZDI-24-1725
- alias/CVE-2024-12828
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/event
- vendor/webmin
- canonical/webmin