Jamie Cameron

10 exploits Active since Jul 2017
CVE-2022-36446 WRITEUP CRITICAL WRITEUP
Webmin < 1.997 - Remote Code Execution via Unescaped UI Command
software/apt-lib.pl in Webmin before 1.997 lacks HTML escaping for a UI command.
CVSS 9.8
CVE-2017-15644 WRITEUP HIGH WRITEUP
Webmin < 1.850 - Server-Side Request Forgery via PATH_INFO to tunnel/link.cgi
SSRF exists in Webmin 1.850 via the PATH_INFO to tunnel/link.cgi, as demonstrated by a GET request for tunnel/link.cgi/http://INTRANET-IP:8000.
CVSS 8.6
CVE-2017-15645 WRITEUP HIGH WRITEUP
Webmin < 1.850 - Cross-Site Request Forgery via create_job.cgi URI Parameter
CSRF exists in Webmin 1.850. By sending a GET request to at/create_job.cgi containing dir=/&cmd= in the URI, an attacker to execute arbitrary commands.
CVSS 8.8
CVE-2017-17089 WRITEUP MEDIUM WRITEUP
Webmin < 1.870 - Authenticated Stored Cross-Site Scripting via Custom Command Description Field
custom/run.cgi in Webmin before 1.870 allows remote authenticated administrators to conduct XSS attacks via the description field in the custom command functionality.
CVSS 4.8
CVE-2017-9313 WRITEUP MEDIUM WRITEUP
Webmin < 1.850 - Cross-Site Scripting via sec Parameter to view_man.cgi
Multiple Cross-site scripting (XSS) vulnerabilities in Webmin before 1.850 allow remote attackers to inject arbitrary web script or HTML via the sec parameter to view_man.cgi, the referers parameter to change_referers.cgi, or the name parameter to save_user.cgi. NOTE: these issues were not fixed in 1.840.
CVSS 6.1
CVE-2020-35769 WRITEUP CRITICAL WRITEUP
Webmin 1.962 - OS Command Injection via CGI Query Arguments
miniserv.pl in Webmin 1.962 on Windows mishandles special characters in query arguments to the CGI program.
CVSS 9.8
CVE-2022-0829 WRITEUP HIGH WRITEUP
webmin < 1.990 - Improper Authorization
Improper Authorization in GitHub repository webmin/webmin prior to 1.990.
CVSS 8.1
CVE-2022-30708 WRITEUP HIGH WRITEUP
Webmin < 1.991 - Remote Code Execution via Authentic Theme File Parameter
Webmin through 1.991, when the Authentic theme is used, allows remote code execution when a user has been manually created (i.e., not created in Virtualmin or Cloudmin). This occurs because settings-editor_write.cgi does not properly restrict the file parameter.
CVSS 8.8
CVE-2022-3844 WRITEUP LOW WRITEUP
Webmin 2.001 - Cross-Site Scripting in xterm/index.cgi
A vulnerability, which was classified as problematic, was found in Webmin 2.001. Affected is an unknown function of the file xterm/index.cgi. The manipulation leads to basic cross site scripting. It is possible to launch the attack remotely. Upgrading to version 2.003 is able to address this issue. The patch is identified as d3d33af3c0c3fd3a889c84e287a038b7a457d811. It is recommended to upgrade the affected component. VDB-212862 is the identifier assigned to this vulnerability.
CVSS 3.5
CVE-2025-67738 WRITEUP HIGH WRITEUP
Webmin < 2.600 - Authenticated OS Command Injection via Squid Cache Manager
squid/cachemgr.cgi in Webmin before 2.600 does not properly quote arguments. This is relevant if Webmin's Squid module and its Cache Manager feature are available, and an untrusted party is able to authenticate to Webmin and has certain Cache Manager permissions (the "cms" security option).
CVSS 8.5