Cyber Resilience

CVE-2022-30708

HighPublic PoC

Published: 15 May 2022

Published
15 May 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0471 89.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-30708 is a high-severity an unspecified weakness vulnerability in Webmin Webmin. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 10.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Webmin through version 1.991 is affected by a remote code execution vulnerability when the Authentic theme is in use. The flaw stems from settings-editor_write.cgi failing to properly restrict the file parameter, but only impacts users who were created manually rather than through Virtualmin or Cloudmin. The issue carries a CVSS 3.1 base score of 8.8.

An authenticated attacker with a manually provisioned account can supply a crafted file parameter to the affected CGI script and achieve arbitrary code execution on the server. No special user interaction or high privileges beyond a standard Webmin login are required for successful exploitation.

Public references point to a fix committed in the Webmin repository and updated releases of the Authentic theme that address the parameter handling weakness. The associated GitHub issue and proof-of-concept exploit code further document the root cause and remediation steps. The EPSS score has remained low with only minor movement between its current value of 0.0471 and peak of 0.0542.

EU & UK References

Vulnerability details

Webmin through 1.991, when the Authentic theme is used, allows remote code execution when a user has been manually created (i.e., not created in Virtualmin or Cloudmin). This occurs because settings-editor_write.cgi does not properly restrict the file parameter.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

webmin
webmin
≤ 1.991

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References