Vulnerability Description
Arbitrary command execution can occur in Webmin through 1.962. Any user authorized for the Package Updates module can execute arbitrary commands with root privileges via vectors involving %0A and %0C. NOTE: this issue exists because of an incomplete fix for CVE-2019-12840.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Webmin | Webmin | <= 1.962 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/160676/Webmin-1.962-Remote-Command-ExecutioExploitThird Party AdvisoryVDB Entry
- https://www.exploit-db.com/exploits/49318ExploitThird Party AdvisoryVDB Entry
- https://www.pentest.com.tr/exploits/Webmin-1962-PU-Escape-Bypass-Remote-Command-ExploitThird Party Advisory
- https://www.webmin.com/download.htmlProduct
- http://packetstormsecurity.com/files/160676/Webmin-1.962-Remote-Command-ExecutioExploitThird Party AdvisoryVDB Entry
- https://www.exploit-db.com/exploits/49318ExploitThird Party AdvisoryVDB Entry
- https://www.pentest.com.tr/exploits/Webmin-1962-PU-Escape-Bypass-Remote-Command-ExploitThird Party Advisory
- https://www.webmin.com/download.htmlProduct
FAQ
What is CVE-2020-35606?
CVE-2020-35606 is a vulnerability with a CVSS score of 8.8 (HIGH). Arbitrary command execution can occur in Webmin through 1.962. Any user authorized for the Package Updates module can execute arbitrary commands with root privileges via vectors involving %0A and %0C....
How severe is CVE-2020-35606?
CVE-2020-35606 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-35606?
Check the references section above for vendor advisories and patch information. Affected products include: Webmin Webmin.