MGASA-2020-0400 - Updated webmin package fixes security vulnerabilities

Publication date: 08 Nov 2020
URL: https://advisories.mageia.org/MGASA-2020-0400.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2020-8820,
     CVE-2020-8821,
     CVE-2020-12670

An XSS Vulnerability exists in Webmin 1.941 and earlier affecting the Cluster 
Shell Commands Endpoint. A user may enter any XSS Payload into the Command 
field and execute it. Then, after revisiting the Cluster Shell Commands Menu,
the XSS Payload will be rendered and executed. (CVE-2020-8820)

An Improper Data Validation Vulnerability exists in Webmin 1.941 and earlier
affecting the Command Shell Endpoint. A user may enter HTML code into the 
Command field and submit it. Then, after visiting the Action Logs Menu and 
displaying logs, the HTML code will be rendered (however, JavaScript is not 
executed). Changes are kept across users. (CVE-2020-8821)

XSS exists in Webmin 1.941 and earlier affecting the Save function of the 
Read User Email Module / mailboxes Endpoint when attempting to save HTML 
emails. This module parses any output without sanitizing SCRIPT elements, as 
opposed to the View function, which sanitizes the input correctly. A malicious
user can send any JavaScript payload into the message body and execute it if 
the user decides to save that email. (CVE-2020-12670)

References:
- https://bugs.mageia.org/show_bug.cgi?id=27459
- https://www.webmin.com/security.html
- https://www.webmin.com/changes.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8820
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8821
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12670

SRPMS:
- 7/core/webmin-1.960-1.mga7