CVE-2023-40986: 
Webmin vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability was discovered in Webmin v2.100's Usermin Configuration function. The vulnerability was assigned identifier CVE-2023-40986 and was publicly disclosed on September 14, 2023. The vulnerability affects the Custom field functionality within the Usermin Configuration feature of Webmin version 2.100 (NVD, GitHub Advisory).

The vulnerability is classified as a stored cross-site scripting (XSS) issue with a CVSS v3.1 base score of 5.4 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation). The issue allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the Custom field of the Usermin Configuration function (NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary web scripts or HTML in the context of other users' browsers who access the affected pages. This could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected users' sessions (NVD).

Users should upgrade to a version of Webmin newer than 2.100 to address this vulnerability. The latest version can be obtained from the official Webmin website (Webmin).