Vulnerability Details : CVE-2012-2983
Public exploit exists!
file/edit_html.cgi in Webmin 1.590 and earlier does not perform an authorization check before showing a file's unedited contents, which allows remote attackers to read arbitrary files via the file field.
Products affected by CVE-2012-2983
- cpe:2.3:a:gentoo:webmin:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.150:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.160:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.140:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.570:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.550:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.450:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.440:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.370:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.340:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.270:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.560:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.530:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.430:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.420:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.330:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.320:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.240:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.230:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.520:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.510:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.410:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.400:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.310:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.300:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.220:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.210:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.200:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.260:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.580:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.500:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.480:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.470:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.390:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.380:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.290:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.280:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.180:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:webmin:1.170:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-2983
50.93%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 98 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2012-2983
-
Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access
Disclosure Date: 2012-09-06First seen: 2020-04-26auxiliary/admin/webmin/edit_html_fileaccessThis module exploits a directory traversal in Webmin 1.580. The vulnerability exists in the edit_html.cgi component and allows an authenticated user with access to the File Manager Module to access arbitrary files with root privileges. The module has been tested su
CVSS scores for CVE-2012-2983
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2012-2983
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-2983
-
https://github.com/webmin/webmin/commit/4cd7bad70e23e4e19be8ccf7b9f245445b2b3b80
Add access control check when reading HTML file https://sourceforge.n… · webmin/webmin@4cd7bad · GitHub
-
http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf
-
http://americaninfosec.com/research/index.html
404 Not Found
-
http://www.kb.cert.org/vuls/id/788478
VU#788478 - Webmin contains input validation vulnerabilitiesPatch;US Government Resource
-
http://www.securitytracker.com/id?1027507
Webmin Flaws Let Remote Authenticated Users Execute Arbitrary Code and View Arbitrary Files - SecurityTracker
-
http://www.americaninfosec.com/research/dossiers/AISG-12-002.pdf
Jump to