CVE-2021-31761 – CVE-2021-31761 is a reflected cross-site script... (How to Fix)

Q: What is the severity of CVE-2021-31761?

CVE-2021-31761 has a CVSS score of 9.6 (CRITICAL). CVE-2021-31761 is a reflected cross-site scripting (XSS) vulnerability in Webmin 1.973 that can be exploited to achieve remote command execution through Webmin's running process feature. Attackers can inject malicious scripts that execute arbitrary commands with Webmin's privileges. This affects all administrators and users of Webmin 1.973.

📋 TL;DR

CVE-2021-31761 is a reflected cross-site scripting (XSS) vulnerability in Webmin 1.973 that can be exploited to achieve remote command execution through Webmin's running process feature. Attackers can inject malicious scripts that execute arbitrary commands with Webmin's privileges. This affects all administrators and users of Webmin 1.973.

💻 Affected Systems

Products:

Webmin

Versions: Version 1.973 specifically

Operating Systems: All platforms running Webmin

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Webmin's running process feature to be accessible, which is typically available to authenticated users.

📦 What is this software?

Webmin by Webmin

View all CVEs affecting Webmin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root-level command execution, data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Unauthorized command execution leading to data exfiltration, service disruption, and privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and network segmentation preventing exploitation.

🌐 Internet-Facing: HIGH - Webmin is often exposed to the internet for remote administration, making it directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Multiple public proof-of-concept exploits exist, and exploitation requires authentication but can be combined with social engineering or CSRF.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Webmin 1.974 and later

Vendor Advisory: https://github.com/webmin/webmin

Restart Required: No

Instructions:

1. Backup your Webmin configuration. 2. Update Webmin using the built-in update feature or package manager. 3. Verify the version is 1.974 or higher. 4. Test functionality after update.

🔧 Temporary Workarounds

Disable running process feature

all

Temporarily disable the vulnerable running process module in Webmin to prevent exploitation.

Edit Webmin configuration to remove or restrict access to the running process module

Implement WAF rules

all

Deploy web application firewall rules to block XSS payloads targeting the vulnerable endpoint.

Add WAF rules to detect and block scripts in the process parameter

🧯 If You Can't Patch

Restrict Webmin access to trusted IP addresses only using firewall rules.
Implement strong authentication and session management to reduce attack surface.

🔍 How to Verify

Check if Vulnerable:

Check Webmin version via web interface or command line; version 1.973 is vulnerable.

Check Version:

cat /etc/webmin/version or check via web interface at /session_login.cgi

Verify Fix Applied:

Verify Webmin version is 1.974 or higher and test the running process feature with safe inputs.

📡 Detection & Monitoring

Log Indicators:

Unusual process execution logs in Webmin audit logs
Suspicious script tags or JavaScript in Webmin access logs

Network Indicators:

HTTP requests to Webmin with script payloads in parameters
Unexpected outbound connections from Webmin server

SIEM Query:

source="webmin" AND (process="*script*" OR param="*<script>*")

📊 Metadata

CVE ID: CVE-2021-31761

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-79

Published: April 25, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/163559/Webmin-1.973-Cross-Site-Request-Forgery.html Exploit,Third Party Advisory,VDB Entry
https://github.com/Mesh3l911/CVE-2021-31761 Exploit,Third Party Advisory
https://github.com/electronicbots/CVE-2021-31761 Exploit,Third Party Advisory
https://github.com/webmin/webmin Product,Third Party Advisory
https://youtu.be/23VvUMu-28c Exploit,Third Party Advisory
http://packetstormsecurity.com/files/163559/Webmin-1.973-Cross-Site-Request-Forgery.html Exploit,Third Party Advisory,VDB Entry
https://github.com/Mesh3l911/CVE-2021-31761 Exploit,Third Party Advisory
https://github.com/electronicbots/CVE-2021-31761 Exploit,Third Party Advisory
https://github.com/webmin/webmin Product,Third Party Advisory
https://youtu.be/23VvUMu-28c Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31761, you might also want to check these: