CVE-2023-38305: 
Webmin vulnerability analysis and mitigation

An issue was discovered in Webmin 2.021 affecting the download functionality. The vulnerability (CVE-2023-38305) allows attackers to exploit a Cross-Site Scripting (XSS) vulnerability by providing a crafted download path containing a malicious payload. When the download link is accessed, the injected arbitrary code is executed within the context of the victim's browser (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue specifically affects the URLs to download parameter functionality. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD).

When successfully exploited, this vulnerability allows attackers to inject and execute arbitrary code within the victim's browser context. This can lead to potential theft of sensitive information, session hijacking, or other malicious actions performed in the context of the authenticated user's session (Github Exploit).

Users should upgrade to a version newer than Webmin 2.021. The vulnerability has been addressed in subsequent releases as indicated in the Webmin changelog (Webmin Changelog).