An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.
https://attackerkb.com/topics/hxx3zmiCkR/webmin-password-change-cgi-command-injection
http://www.webmin.com/security.html
http://packetstormsecurity.com/files/154485/Webmin-1.920-Remote-Code-Execution.html