Certain versions of Webmin are vulnerable to a cross site scripting vulnerability in the login page.
Cross Site Scripting vulnerabilities are client-based attacks that rely on vulnerable CGI programs. A CGI program that does not adequately filter its dynamic output allows a malicious user to abuse another user's trust in your web server by injecting script tags.
An exploit script can be made to:
- access other sites inside another client's private intranet.
- steal another client's cookie(s).
- modify another client's cookie(s).
- steal another client's submitted form data.
- modify another client's submitted form data (before it reaches the server).
Note that SSL connectivity does not protect against this issue.