Lucene search

[email protected]CVE-2021-46850

HistoryOct 24, 2022 - 2:15 p.m.

CVE-2021-46850

2022-10-2414:15:50

CWE-88

[email protected]

web.nvd.nist.gov

cve-2021-46850

myvesta control panel

command injection

v_sftp_license

security vulnerability

nvd

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.5 High

AI Score

Confidence

High

0.028 Low

EPSS

Percentile

90.7%

JSON

myVesta Control Panel before 0.9.8-26-43 and Vesta Control Panel before 0.9.8-26 are vulnerable to command injection. An authenticated and remote administrative user can execute arbitrary commands via the v_sftp_license parameter when sending HTTP POST requests to the /edit/server endpoint.

Affected configurations

NVD

Node

vestacpcontrol_panelRange<0.9.8-26-43

vestacpvesta_control_panelRange<0.9.8-26

CPENameOperatorVersion
vestacp:control_panelvestacp control panellt0.9.8-26-43
vestacp:vesta_control_panelvestacp vesta control panellt0.9.8-26

CPE	Name	Operator	Version
vestacp:control_panel	vestacp control panel	lt	0.9.8-26-43
vestacp:vesta_control_panel	vestacp vesta control panel	lt	0.9.8-26

References

blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html

github.com/myvesta/vesta/commit/7991753ab7c5c568768028fb77554db8ea149f17

github.com/myvesta/vesta/releases/tag/0.9.8-26-43

github.com/serghey-rodin/vesta/commit/a4e4542a6d1351c2857b169f8621dd9a13a2e896

www.exploit-db.com/exploits/49674

Social References

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.5 High

AI Score

Confidence

High

0.028 Low

EPSS

Percentile

90.7%

JSON

Related for CVE-2021-46850

nvd1 osv1 prion1 cvelist1