Webmin – Remote Command Execution Vulnerability
We have been made aware of a remote exploit in Webmin versions 1.882 to 1.921 that will allow users to run arbitrary commands. The parameter old in password_change.cgi contains a command injection vulnerability that can be exploited for remote command execution.
Version 1.890 is vulnerable in its default install whereas the other versions are only vulnerable if changing of expired passwords is enabled, which is not the case by default.