If Webmin or Usermin is configured to use full PAM conversations, it is vulnerable to the remote execution of arbitrary code with root
Keigo Yamazaki discovered that the miniserv.pl webserver, used in both
Webmin and Usermin, does not properly validate authentication
credentials before sending them to the PAM (Pluggable Authentication
Modules) authentication process.