Mageia 2020-0400: webmin security update
Summary
An XSS Vulnerability exists in Webmin 1.941 and earlier affecting the Cluster
Shell Commands Endpoint. A user may enter any XSS Payload into the Command
field and execute it. Then, after revisiting the Cluster Shell Commands Menu,
the XSS Payload will be rendered and executed. (CVE-2020-8820)
An Improper Data Validation Vulnerability exists in Webmin 1.941 and earlier
affecting the Command Shell Endpoint. A user may enter HTML code into the
Command field and submit it. Then, after visiting the Action Logs Menu and
displaying logs, the HTML code will be rendered (however, JavaScript is not
executed). Changes are kept across users. (CVE-2020-8821)
XSS exists in Webmin 1.941 and earlier affecting the Save function of the
Read User Email Module / mailboxes Endpoint when attempting to save HTML
emails. This module parses any output without sanitizing SCRIPT elements, as
opposed to the View function, which sanitizes the input correctly. A malicious
user can send any JavaScript pay...
References
- https://bugs.mageia.org/show_bug.cgi?id=27459
- https://webmin.com/security/
- https://webmin.com/tags/webmin-changelog/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8820
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8821
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12670
Resolution
MGASA-2020-0400 - Updated webmin package fixes security vulnerabilities
SRPMS
- 7/core/webmin-1.960-1.mga7