Webmin Package Updates Command Injection
Posted by deepcore on August 10, 2022 – 11:23 pm
This Metasploit module exploits an arbitrary command injection in Webmin versions prior to 1.997. Webmin uses the OS package manager (apt, yum, etc.) to perform package updates and installation. Due to a lack of input sanitization, it is possible to inject an arbitrary command that will be concatenated to the package manager call. This exploit requires authentication and the account must have access to the Software Package Updates module.
Post a reply
You must be logged in to post a comment.