What is the CVE-2019-15107 vulnerability in Webmin, and what condition must be present for it to be exploitable?

CVE-2019-15107 is an unauthenticated remote code execution vulnerability in Webmin versions below 1.930. It requires the Webmin Password expiry policy to be set to 'Prompt users with expired passwords to enter a new one' (instead of the default 'Always deny'). As detailed in our Webmin<=1.920-Unauthenticated_RCE(CVE-2019-15107) Exploitation Test, this allows an attacker to inject commands via a crafted POST request to password_change.cgi.