Updated webmin package fixes security vulnerabilities
Publication date: 08 Nov 2020Modification date: 08 Nov 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2020-8820 , CVE-2020-8821 , CVE-2020-12670
Description
An XSS Vulnerability exists in Webmin 1.941 and earlier affecting the Cluster
Shell Commands Endpoint. A user may enter any XSS Payload into the Command
field and execute it. Then, after revisiting the Cluster Shell Commands Menu,
the XSS Payload will be rendered and executed. (CVE-2020-8820)
An Improper Data Validation Vulnerability exists in Webmin 1.941 and earlier
affecting the Command Shell Endpoint. A user may enter HTML code into the
Command field and submit it. Then, after visiting the Action Logs Menu and
displaying logs, the HTML code will be rendered (however, JavaScript is not
executed). Changes are kept across users. (CVE-2020-8821)
XSS exists in Webmin 1.941 and earlier affecting the Save function of the
Read User Email Module / mailboxes Endpoint when attempting to save HTML
emails. This module parses any output without sanitizing SCRIPT elements, as
opposed to the View function, which sanitizes the input correctly. A malicious
user can send any JavaScript payload into the message body and execute it if
the user decides to save that email. (CVE-2020-12670)
References
- https://bugs.mageia.org/show_bug.cgi?id=27459
- https://www.webmin.com/security.html
- https://www.webmin.com/changes.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8820
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8821
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12670
SRPMS
7/core
- webmin-1.960-1.mga7