Vulnerability Details : CVE-2019-12840
Public exploit exists!
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
Products affected by CVE-2019-12840
- cpe:2.3:a:webmin:webmin:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-12840
23.53%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2019-12840
-
Webmin Package Updates Remote Command Execution
Disclosure Date: 2019-05-16First seen: 2020-04-26exploit/linux/http/webmin_packageup_rceThis module exploits an arbitrary command execution vulnerability in Webmin 1.910 and lower versions. Any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges.
CVSS scores for CVE-2019-12840
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.0
|
HIGH | AV:N/AC:L/Au:S/C:C/I:C/A:C |
8.0
|
10.0
|
NIST | |
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2019-12840
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-12840
-
https://www.exploit-db.com/exploits/46984
Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit)Exploit;Third Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/108790
Webmin CVE-2019-12840 Arbitrary Command Injection Vulnerability
-
https://pentest.com.tr/exploits/Webmin-1910-Package-Updates-Remote-Command-Execution.html
Pentest Blog - Self-Improvement to Ethical HackingExploit;Third Party Advisory
-
http://packetstormsecurity.com/files/153372/Webmin-1.910-Remote-Command-Execution.html
Webmin 1.910 Remote Command Execution ≈ Packet Storm
Jump to