# Vulnerability type: Reflected Cross Site Scripting

# Vendor:  <https://www.k2.com/> http://www.webmin.com/index.html

# Product: Webmin 

# Affected version: 1.890

# Credit: Foo Jong Meng

# CVE ID: CVE- 2018-19191

 

# DESCRIPTION:

After logging into the webmin interface, attack can be launched by injecting
the XSS payload at the affected parameters.  The XSS is noted in the
following webmin parameters https://x.x.x.x:10000/affected-parameters:

u   /config.cgi?webmin (GET)

u   /shell/index.cgi (POST)  history parameter

u   /shell/index.cgi?stripped=1 (POST)

u   /webminlog/search.cgi (GET) uall and mall parameters

 

# SAMPLE PAYLOAD:

"<script>alert(0)</script>

<script>alert(%22%78%73%73%22)</script>abc

 

 

# PROOF OF CONCEPT:

1. Use a web proxy (i.e zapproxy, burp) to intercept the affected "GET" and
"POST" requests for:

https://x.x.x.x:10000/affected-parameters

 

2. Inject the XSS payload at the affected parameters.

 

3. The payload will be executed.

 

Developer has issued an updated version of webmin with the vulnerabilities
reported.