MGASA-2020-0400

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2020-0400.html

Import Source

https://advisories.mageia.org/MGASA-2020-0400.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2020-0400

Related

Published

2020-11-08T14:14:27Z

Modified

2020-11-08T13:37:28Z

Summary

Updated webmin package fixes security vulnerabilities

Details

An XSS Vulnerability exists in Webmin 1.941 and earlier affecting the Cluster Shell Commands Endpoint. A user may enter any XSS Payload into the Command field and execute it. Then, after revisiting the Cluster Shell Commands Menu, the XSS Payload will be rendered and executed. (CVE-2020-8820)

An Improper Data Validation Vulnerability exists in Webmin 1.941 and earlier affecting the Command Shell Endpoint. A user may enter HTML code into the Command field and submit it. Then, after visiting the Action Logs Menu and displaying logs, the HTML code will be rendered (however, JavaScript is not executed). Changes are kept across users. (CVE-2020-8821)

XSS exists in Webmin 1.941 and earlier affecting the Save function of the Read User Email Module / mailboxes Endpoint when attempting to save HTML emails. This module parses any output without sanitizing SCRIPT elements, as opposed to the View function, which sanitizes the input correctly. A malicious user can send any JavaScript payload into the message body and execute it if the user decides to save that email. (CVE-2020-12670)

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:7 / webmin

Package

Name: webmin
Purl: pkg:rpm/mageia/webmin?arch=source&distro=mageia-7

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.960-1.mga7

Ecosystem specific

{
    "section": "core"
}