The account lockout functionality in (1) Webmin 1.140 and (2) Usermin 1.070 does not parse certain character strings, which allows remote attackers to conduct a brute force attack to guess user IDs and passwords.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Usermin | Usermin | 1.070 (including) | 1.070 (including) |
Webmin | Webmin | 1.1.40 (including) | 1.1.40 (including) |