Primary

Context

Webmin Host Header Injection Vulnerability in Password Reset Functionality

Vulnerability

Patched

A critical host header injection vulnerability has been identified in Webmin version 2.510. This issue arises in the password reset feature, specifically within the 'forgot_send.cgi' component. The vulnerability allows attackers to manipulate the 'Host' header, injecting malicious domains into the reset link sent to users. If a victim follows the compromised link, the attacker can intercept the reset token and gain full control of the victim's account.

Impact

Exploitation of this vulnerability allows for account takeover, including access to root or admin privileges, and could lead to a complete compromise of the Webmin panel.

Reproduction

To reproduce this vulnerability, send a POST request to the 'forgot_send.cgi' script with a manipulated 'Host' header. The injected domain will be used in the password reset link, which can then be followed to intercept the reset token.

Remediation

Users are advised to update to Webmin version 2.520, which addresses this vulnerability.

Added: Oct 16, 2025, 3:19 PM

Updated: Oct 16, 2025, 7:32 PM

Vulnerability Rating

Custom Algorithm

spread

6.8

impact

5.0

exploitability

7.4

remediation

7.7

relevance

0.7

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.8

impact

5.0

exploitability

7.4

remediation

7.7

relevance

0.7

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Webmin Host Header Injection Vulnerability in Password Reset Functionality

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Webmin

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating