An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.
Affected version: Webmin <=1.920
FOFA query rule: app="Webmin"
