Japan Vulnerability NotesJVN:81442045JVN#81442045: Multiple vulnerabilities in multiple Webmin products
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
29.6%
Multiple Webmin products contain multiple vulnerabilities listed below.
sysinfo.cgi is vulnerable to cross-site scripting (CWE-79) CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score 6.1 CVE-2024-36450session_login.cgi is vulnerable to cross-site scripting (CWE-79)CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score 6.1 CVE-2024-36453ajaxterm module is vulnerable to improper handling of insufficient permissions or privileges (CWE-280)CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score 8.8 CVE-2024-36451ajaxterm module is vulnerable to cross-site request forgery (CWE-352) CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score 3.1 CVE-2024-36452
Impact
- An arbitrary script may be executed on the web browser of the user who accessed the website using the product (CVE-2024-36450, CVE-2024-36453)
- Console session may be hijacked by an unauthorized user (CVE-2024-36451)
- If a user views a malicious page while logged in, unintended operations may be performed (CVE-2024-36452)
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
Products Affected
CVE-2024-36450
-
Webmin versions prior to 1.910
CVE-2024-36453 -
Webmin versions prior to 1.970
-
Usermin versions prior to 1.820
CVE-2024-36451,** CVE-2024-36452** -
Webmin versions prior to 2.003
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
29.6%