{"id":"CVE-2020-12670","details":"XSS exists in Webmin 1.941 and earlier affecting the Save function of the Read User Email Module / mailboxes Endpoint when attempting to save HTML emails. This module parses any output without sanitizing SCRIPT elements, as opposed to the View function, which sanitizes the input correctly. A malicious user can send any JavaScript payload into the message body and execute it if the user decides to save that email.","modified":"2026-04-11T22:57:48.894143Z","published":"2020-10-12T16:15:12.437Z","related":["MGASA-2020-0400"],"references":[{"type":"ADVISORY","url":"https://www.webmin.com/security.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/webmin/webmin","events":[{"introduced":"0"},{"last_affected":"d5227e85afec512718dd77a759a56cd212a15c1c"}],"database_specific":{"cpe":"cpe:2.3:a:webmin:webmin:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"last_affected":"1.941"}],"source":"CPE_FIELD"}}],"versions":["1.700","1.710","1.720","1.730","1.740","1.750","1.760","1.770","1.780","1.790","1.800","1.801","1.810","1.820","1.830","1.831","1.840","1.850","1.860","1.870","1.880","1.890","1.900","1.910","1.920","1.930","1.940","1.941"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-12670.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}