CVE-2023-43309 - How Stored XSS in Webmin Lets Attackers Run Javascript Payloads

Published: June 2024
*Author: CyberSec Insights*

Introduction

Webmin is a well-known open-source web interface that helps system administrators manage Unix-based servers. Millions use Webmin to simplify tasks. But sometimes, popular software has bugs—and some can be dangerous. In October 2023, a stored Cross-site Scripting (XSS) vulnerability, tracked as CVE-2023-43309, was found in Webmin versions 2.002 and below. This post explains what CVE-2023-43309 is, how it works, and how it can be exploited.

What Is Stored XSS? (In Simple Words!)

Cross-site scripting (XSS) happens when someone is able to inject malicious scripts (usually JavaScript) into web pages that are seen by other users. Stored XSS is more dangerous than "reflected" XSS because the script is saved (stored) on the server and runs every time someone views the page.

Where's the Problem?

The vulnerability is found in the Cluster Cron Job tab in Webmin. When you add a new cluster cron job, there’s an input field (for example, the "Command" or "Description" field). Unsanitized data entered there is later returned in a way that doesn't block executable scripts.

1. Attacker Gets Access

First, the attacker needs an account on the vulnerable Webmin system. This user could be a low-privilege admin or a rogue insider.

2. Inject Payload

The attacker adds a new cluster cron job. In the relevant input field (for example, Description), the attacker submits this code:

<script>alert('XSS by CVE-2023-43309')</script>

3. Script Is Stored

Webmin saves this information (with the script tag) in its database or config files.

4. Victim Views the Page

When another admin or user goes to the Cluster Cron Job list, the field with the injected script is shown unfiltered.

5. Javascript Runs!

The browser executes the script. In a real attack, instead of alert(), a hacker might steal cookies, perform actions as the victim, or load external malware.

`html

Submit.

Any user who later visits the Cluster Cron Job tab will see the alert pop-up. A real attacker will use a more dangerous script.

Responsible Disclosure and Patch

The Webmin team was notified and fixed the flaw in version 2.003. Always keep your Webmin installation updated.

- Webmin Official Download
- Webmin Change Log

Mitigation:
Update to Webmin 2.003 or later. If you can’t, use a web proxy that filters scripts, and restrict user access.

References

- NVD Entry: CVE-2023-43309
- Original Security Advisory
- OWASP XSS Guide

Conclusion

CVE-2023-43309 is a classic case of stored XSS in a popular tool. The main lesson: Always sanitize user input, even for “trusted” admins. And if you use Webmin, update now.

Stay safe—and patch!

*If you liked this deep dive, follow for more exclusive security breakdowns!*

Timeline

Published on: 09/21/2023 14:15:10 UTC
Last modified on: 09/22/2023 02:15:37 UTC