CVE-2012-2983

Webmin <1.590 - Info Disclosure

Title source: llm

Description

file/edit_html.cgi in Webmin 1.590 and earlier does not perform an authorization check before showing a file's unedited contents, which allows remote attackers to read arbitrary files via the file field.

Exploits (1)

metasploit WORKING POC

by Unknown, juan vazquez · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/webmin/edit_html_fileaccess.rb

View Code ZIP pw:eip

References (6)

[Various Sources] http://americaninfosec.com/research/index.html

[Various Sources] http://www.americaninfosec.com/research/dossiers/AISG-12-002.pdf

[Patch, US Government Resource] http://www.kb.cert.org/vuls/id/788478

[Various Sources] http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf

[Patch] https://github.com/webmin/webmin/commit/4cd7bad70e23e4e19be8ccf7b9f245445b2b3b80

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id?1027507

Scores

EPSS 0.5399

EPSS Percentile 98.0%

Details

CWE

CWE-287

Status published

Products (39)

gentoo/webmin 1.140

gentoo/webmin 1.150

gentoo/webmin 1.160

gentoo/webmin 1.170

gentoo/webmin 1.180

gentoo/webmin 1.200

gentoo/webmin 1.210

gentoo/webmin 1.220

gentoo/webmin 1.230

gentoo/webmin 1.240

... and 29 more

Published Sep 11, 2012

Tracked Since Feb 18, 2026