CVE-2012-2983

Webmin <1.590 - Info Disclosure

Title source: llm

Description

file/edit_html.cgi in Webmin 1.590 and earlier does not perform an authorization check before showing a file's unedited contents, which allows remote attackers to read arbitrary files via the file field.

Exploits (1)

metasploit WORKING POC

by Unknown, juan vazquez · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/webmin/edit_html_fileaccess.rb

View Code ZIP pw:eip

References (6)

[Various Sources] http://americaninfosec.com/research/index.html

[Various Sources] http://www.americaninfosec.com/research/dossiers/AISG-12-002.pdf

[Patch, US Government Resource] http://www.kb.cert.org/vuls/id/788478

[Various Sources] http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf

[Patch] https://github.com/webmin/webmin/commit/4cd7bad70e23e4e19be8ccf7b9f245445b2b3b80

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id?1027507

Scores

EPSS 0.5093

EPSS Percentile 97.8%

Classification

CWE

CWE-287

Status draft

Affected Products (39)

gentoo/webmin < 1.590

gentoo/webmin

... and 24 more

Timeline

Published Sep 11, 2012

Tracked Since Feb 18, 2026