CVE-2020-10966

2020-03-2523:15:16

Google

osv.dev

6.8 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

51.5%

JSON

In the Password Reset Module in VESTA Control Panel through 0.9.8-25 and Hestia Control Panel before 1.1.1, Host header manipulation leads to account takeover because the victim receives a reset URL containing an attacker-controlled server name.

CPENameOperatorVersion
hestiacpeq0.9.8-17
hestiacpeq0.9.8-25
hestiacpeq0.9.8-19
hestiacpeq0.9.8-28
hestiacpeq0.9.8-12
hestiacpeq0.9.8-10
hestiacpeq0.9.8-20
hestiacpeq1.0.1
hestiacpeq0.9.8-13
hestiacpeq0.9.8-18

Name	Operator	Version
hestiacp	eq	0.9.8-17
hestiacp	eq	0.9.8-25
hestiacp	eq	0.9.8-19
hestiacp	eq	0.9.8-28
hestiacp	eq	0.9.8-12
hestiacp	eq	0.9.8-10
hestiacp	eq	0.9.8-20
hestiacp	eq	1.0.1
hestiacp	eq	0.9.8-13
hestiacp	eq	0.9.8-18