Impact
Webmin accepts basic authentication without session cookies when an attacker supplies the 'User-Agent: webmin' header, enabling bypass of required MFA steps. This flaw allows an attacker to gain authenticated access without satisfying the multi‑factor challenge, effectively compromising account security. The weakness is categorized as CWE‑308, indicating improper permission or privilege assignment.
Affected Systems
The vulnerability affects the Webmin Webmin product for all releases prior to version 2.641. No specific sub‑version ranges are listed beyond the indication that earlier releases can be exploited. The fix is included in release 2.641, which is the only version known to contain the mitigation.
Risk and Exploitability
The CVSS score of 6.9 classifies this issue as medium severity. No EPSS score is available, indicating that real‑world exploitation statistics are not reported, and it is not listed in CISA’s KEV catalog. The likely attack vector is remote request injection over HTTP or HTTPS, where an attacker can craft a request with the special User‑Agent header; the flaw does not require privileged local access or pre‑existing authentication, but it does rely on the Webmin server accepting the header and allowing basic authentication. Because the vulnerability facilitates unauthorized access rather than arbitrary code execution, the risk is primarily loss of confidentiality and integrity for compromised user accounts.
OpenCVE Enrichment