An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.