CVE-2022-36446: 
Webmin vulnerability analysis and mitigation

A vulnerability was discovered in Webmin before version 1.997, identified as CVE-2022-36446. The issue exists in the software/apt-lib.pl file where HTML escaping for a UI command is missing. This vulnerability was disclosed on July 25, 2022, affecting Webmin installations prior to version 1.997 (NVD, MITRE).

The vulnerability stems from improper HTML escaping in the software/apt-lib.pl file of Webmin. The issue specifically occurs in the UI command handling within the package updates functionality. The vulnerability allows authenticated users with access to the 'Software Package Updates' module to perform OS Command Injection during new package installations (Exploit DB, GitHub Commit).

When successfully exploited, this vulnerability allows authenticated users with access to the 'Software Package Updates' module to execute arbitrary commands with root privileges on the target system (Exploit DB).

The vulnerability has been patched in Webmin version 1.997. Users are advised to upgrade to this version or later to mitigate the risk. The fix involves proper HTML escaping implementation for UI commands in the software/apt-lib.pl file (GitHub Commit).