cvedb.io
CVE-2017-15646
MEDIUM · CVSS 6.1
EPSS exploitation probability: 0%
Published 2017-10-19T22:29:00.323 · Last modified 2026-06-17T01:08:02.893

Summary

Webmin before 1.860 has XSS with resultant remote code execution. Under the 'Others/File Manager' menu, there is a 'Download from remote URL' option to download a file from a remote server. After setting up a malicious server, one can wait for a file download request and then send an XSS payload that will lead to Remote Code Execution, as demonstrated by an OS command in the value attribute of a name='cmd' input element.

Affected products

webmin — webmin

Does this affect you?

Add your gear to cvedb and we'll alert you only when webmin ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.