Please send all reports of security issues found in Webmin to security@webmin.com via email, ideally PGP encrypted with the key from https://www.webmin.com/jcameron-key.asc .

Potential security issues, in descending order of impact, include :

• Remotely exploitable attacks that allow root access to Webmin without any credentials.

• Privilege escalation vulnerabilities that allow non-root users of Webmin to run commands or access files as root.

• XSS attacks that target users already logged into Webmin when they visit another website.

Things that are not actually security issues include :

• XSS attacks that are blocked by Webmin's referrer checks, which are enabled by default.

• Attacks that require modifications to Webmin's code or configuration, which can only be done by someone who already has root permissions.