rpc.cgi in Webmin through 1.920 allows authenticated...
High severity
Unreviewed
Published
May 24, 2022
to the GitHub Advisory Database
•
Updated Apr 4, 2024
Description
Published by the National Vulnerability Database
Aug 26, 2019
Published to the GitHub Advisory Database
May 24, 2022
Last updated
Apr 4, 2024
rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users."
References