|Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')|
|Vulnerability||Severity Score||Release Date||Summary|
|CVE-2006-3392||5.0||July 6, 2006||
Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML, which allows remote attackers to read arbitrary files, as demonstrated using "..%01" sequences, which bypass the removal of "../" sequences before bytes such as "%01" are removed from the filename. NOTE: This is a different issue than CVE-2006-3274.
|CVE-2006-4542||6.8||Sept. 5, 2006||
Webmin before 1.296 and Usermin before 1.226 do not properly handle a URL with a null ("%00") character, which allows remote attackers to conduct cross-site scripting (XSS), read CGI program source code, list directories, and possibly execute programs.
|CVE-2009-4568||4.3||Jan. 5, 2010||
Cross-site scripting (XSS) vulnerability in Webmin before 1.500 and Usermin before 1.430 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.