{"id":"MGASA-2020-0400","summary":"Updated webmin package fixes security vulnerabilities","details":"An XSS Vulnerability exists in Webmin 1.941 and earlier affecting the Cluster \nShell Commands Endpoint. A user may enter any XSS Payload into the Command \nfield and execute it. Then, after revisiting the Cluster Shell Commands Menu,\nthe XSS Payload will be rendered and executed. (CVE-2020-8820)\n\nAn Improper Data Validation Vulnerability exists in Webmin 1.941 and earlier\naffecting the Command Shell Endpoint. A user may enter HTML code into the \nCommand field and submit it. Then, after visiting the Action Logs Menu and \ndisplaying logs, the HTML code will be rendered (however, JavaScript is not \nexecuted). Changes are kept across users. (CVE-2020-8821)\n\nXSS exists in Webmin 1.941 and earlier affecting the Save function of the \nRead User Email Module / mailboxes Endpoint when attempting to save HTML \nemails. This module parses any output without sanitizing SCRIPT elements, as \nopposed to the View function, which sanitizes the input correctly. A malicious\nuser can send any JavaScript payload into the message body and execute it if \nthe user decides to save that email. (CVE-2020-12670)\n","modified":"2026-01-31T15:47:45.213381Z","published":"2020-11-08T14:14:27Z","related":["CVE-2020-12670","CVE-2020-8820","CVE-2020-8821"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2020-0400.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=27459"},{"type":"REPORT","url":"https://www.webmin.com/security.html"},{"type":"REPORT","url":"https://www.webmin.com/changes.html"}],"affected":[{"package":{"name":"webmin","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/webmin?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.960-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0400.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}