FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-05-02 10:37:19 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
ece65d3b-c20c-11e9-8af4-bcaec55be5e5	webmin -- unauthenticated remote code execution Joe Cooper reports: I've rolled out Webmin version 1.930 and Usermin version 1.780 for all repositories. This release includes several security fixes, including one potentially serious one caused by malicious code inserted into Webmin and Usermin at some point on our build infrastructure. We're still investigating how and when, but the exploitable code has never existed in our github repositories, so we've rebuilt from git source on new infrastructure (and checked to be sure the result does not contain the malicious code). I don't have a changelog for these releases yet, but I wanted to announce them immediately due to the severity of this issue. To exploit the malicious code, your Webmin installation must have Webmin -> Webmin Configuration -> Authentication -> Password expiry policy set to Prompt users with expired passwords to enter a new one. This option is not set by default, but if it is set, it allows remote code execution. This release addresses CVE-2019-15107, which was disclosed earlier today. It also addresses a handful of XSS issues that we were notified about, and a bounty was awarded to the researcher (a different one) who found them. Discovery 2019-08-17 Entry 2019-08-17 webmin < 1.930 usermin < 1.780 https://virtualmin.com/node/66890 CVE-2019-15107
ec89dc70-2515-11e2-8eda-000a5e1e33c6	webmin -- potential XSS attack via real name field The webmin updates site reports Module: Change Passwords; Version: 1.600; Problem: Fix for potential XSS attack via real name field; Solution: New module. Discovery 2012-11-02 Entry 2012-11-02 webmin < 1.600_1 http://www.webmin.com/updates.html
12b7286f-16a2-11dc-b803-0016179b2dd5	webmin -- cross site scripting vulnerability Secunia reports: Input passed to unspecified parameters in pam_login.cgi is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Discovery 2007-06-01 Entry 2007-06-09 Modified 2010-05-12 webmin < 1.350 24381 CVE-2007-3156 http://secunia.com/advisories/25580/ http://www.webmin.com/changes-1.350.html

VuXML ID

Description

ece65d3b-c20c-11e9-8af4-bcaec55be5e5

webmin -- unauthenticated remote code execution

Joe Cooper reports:

I've rolled out Webmin version 1.930 and Usermin version 1.780 for all repositories. This release includes several security fixes, including one potentially serious one caused by malicious code inserted into Webmin and Usermin at some point on our build infrastructure. We're still investigating how and when, but the exploitable code has never existed in our github repositories, so we've rebuilt from git source on new infrastructure (and checked to be sure the result does not contain the malicious code).

I don't have a changelog for these releases yet, but I wanted to announce them immediately due to the severity of this issue. To exploit the malicious code, your Webmin installation must have Webmin -> Webmin Configuration -> Authentication -> Password expiry policy set to Prompt users with expired passwords to enter a new one. This option is not set by default, but if it is set, it allows remote code execution.

This release addresses CVE-2019-15107, which was disclosed earlier today. It also addresses a handful of XSS issues that we were notified about, and a bounty was awarded to the researcher (a different one) who found them.

Discovery 2019-08-17
Entry 2019-08-17
webmin

< 1.930

usermin

< 1.780

https://virtualmin.com/node/66890
CVE-2019-15107

ec89dc70-2515-11e2-8eda-000a5e1e33c6

webmin -- potential XSS attack via real name field

The webmin updates site reports

Module: Change Passwords; Version: 1.600; Problem: Fix for potential XSS attack via real name field; Solution: New module.

Discovery 2012-11-02
Entry 2012-11-02
webmin

< 1.600_1

http://www.webmin.com/updates.html

12b7286f-16a2-11dc-b803-0016179b2dd5

webmin -- cross site scripting vulnerability

Secunia reports:

Input passed to unspecified parameters in pam_login.cgi is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Discovery 2007-06-01
Entry 2007-06-09
Modified 2010-05-12
webmin

< 1.350

24381
CVE-2007-3156
http://secunia.com/advisories/25580/
http://www.webmin.com/changes-1.350.html