CVE-2023-38304: 
Webmin vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Webmin 2.021's Users and Groups functionality. The vulnerability, identified as CVE-2023-38304, allows an attacker to store a malicious payload in the Group Name field when creating a new group. When viewing the user details, the stored XSS payload is executed within the context of the victim's browser (GitHub Exploit, NVD).

The vulnerability affects the Group Name parameter in the Users and Groups functionality of Webmin 2.021. The CVSS v3.1 base score is 5.4 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD).

When successfully exploited, the vulnerability allows attackers to execute arbitrary JavaScript code in the context of the victim's browser when they view user details. This could lead to unauthorized access to sensitive information and potential session hijacking (GitHub Exploit).

Users should upgrade to a patched version of Webmin. The vulnerability has been addressed in subsequent releases as indicated in the Webmin changelog (Webmin Changelog).