CVE-2022-36446

CVE-2022-36446

EPSS 96.0%

Vexday Risk Score

60Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS —EPSS 96.0%KEV nãoPoC públicaNuclei simMetasploit simPatch —

Lifecycle

25 Jul 2022Published on NVD

26 Jul 2022Metasploit module available

11 Aug 2022Public PoC

Recommendation: Plan a near-term fix — a public PoC already exists.

software/apt-lib.pl in Webmin before 1.997 lacks HTML escaping for a UI command.

Affected products

public PoCs found — 6

githubgithub.com/p0dalirius/CVE-2022-36446-Webmin-Software-Package-Updates-RCE★ 115 githubgithub.com/emirpolatt/CVE-2022-36446★ 3 githubgithub.com/Kang3639/CVE-2022-36446★ 0 cve_referencepacketstormsecurity.com/files/167894/Webmin-1.996-Remote-Code-Execution.htmlunverified cve_referencepacketstormsecurity.com/files/168049/Webmin-Package-Updates-Command-Injection.htmlunverified cve_referencewww.exploit-db.com/exploits/50998unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://packetstormsecurity.com/files/167894/Webmin-1.996-Remote-Code-Execution.html http://packetstormsecurity.com/files/168049/Webmin-Package-Updates-Command-Injection.html https://gist.github.com/emirpolatt/cf19d6c0128fa3e25ebb47e09243919b https://github.com/webmin/webmin/commit/13f7bf9621a82d93f1e9dbd838d1e22020221bde https://github.com/webmin/webmin/compare/1.996...1.997 https://www.exploit-db.com/exploits/50998