CVE-2022-36446 software/apt-lib.pl in Webmin before 1.997 lacks HTML escaping for a UI command.

CVE-2022-36446 software/apt-lib.pl in Webmin before 1.997 lacks HTML escaping for a UI command.

This leads to potential XSS attacks when untrusted users access Webmin interfaces with external applications. The affected command is /ui/command where / is the forward slash and ui/command is a command in Webmin's UI. This issue has been fixed in Webmin 1.997.

Webmin 1.997 contains a fix for a potential XSS attack due to a bug in apt-lib software. In Webmin before 1.997, when untrusted users access Webmin interfaces with external applications, there is a potential XSS attack due to a bug in apt-lib software.

How did we get here?

An XSS vulnerability associated with Webmin 1.997 was discovered by security researcher, Ben Murphy.

The bug in apt-lib software

Apt-lib software is an apt utility for apt-get that provides a way to download, install, upgrade and remove packages from APT repositories. It was originally written by Michael van Elst. The "apt-lib" software bug was introduced in version 0.3 of the software.

The bug in apt-lib software is a potential XSS attack due to a bug in version 0.3 of the software. A potential XSS attack occurs when untrusted users access Webmin interfaces with external applications and they use the command /ui/command where / is the forward slash and ui/command is a command in Webmin's UI. This issue has been fixed in Webmin 1.997.

Upgrade Instructions

First, upgrade to Webmin 1.997 or later.
Next, run apt-get update and apt-get dist-upgrade to install the necessary packages that were fixed in Webmin 1.997.

Upgrade and Installation

Upgrade to Webmin 1.997 and the latest version of apt-lib software:
1) Upgrade to Webmin 1.997 and the latest version of apt-lib software:
apt-get update && apt-get dist-upgrade
2)  If you are using a stable release, upgrade from any previous stable release. For example, if you're running Webmin v1.996, then you would upgrade to v2.0 as follows:
apt-get update && apt-get dist-upgrade
3) If you are not using a stable release and have been on Webmin for several years, then upgrading is required as follows:
apt-get update && apt-get dist-upgrade -t unstable

What is an XSS attack?

Cross-site scripting (XSS) is a type of computer security vulnerability that affects how user input is validated or processed. The attacker injects client-side script into an HTML document, which is executed on the server when a victim visits the page.
The flaw enables attackers to execute their own code in the context of another site or even steal cookies from other sites.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe