The account lockout functionality in (1) Webmin 1.140 and (2) Usermin 1.070 does not parse certain character strings, which allows remote attackers to conduct a brute force attack to guess user IDs and passwords.
Debian Security Advisory DSA 526-1 - Two vulnerabilities in Webmin 1.140 allow remote attackers to bypass access control rules and the ability to brute force IDs and passwords.