Lucene search

GoogleOSV:CVE-2021-46850

HistoryOct 24, 2022 - 2:15 p.m.

CVE-2021-46850

2022-10-2414:15:50

Google

osv.dev

myvesta

vesta control panel

command injection

authenticated user

administrative user

http post requests

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

8.1 High

AI Score

Confidence

Low

0.028 Low

EPSS

Percentile

90.7%

JSON

myVesta Control Panel before 0.9.8-26-43 and Vesta Control Panel before 0.9.8-26 are vulnerable to command injection. An authenticated and remote administrative user can execute arbitrary commands via the v_sftp_license parameter when sending HTTP POST requests to the /edit/server endpoint.

CPENameOperatorVersion
vestaeq0.9.8-19
vestaeq0.9.8-26-35
vestaeq0.9.8-24
vestaeq0.9.8-10
vestaeq0.9.8-27
vestaeq0.9.8-26-29
vestaeq0.9.8-11
vestaeq0.9.8-26-33
vestaeq0.9.8-18
vestaeq0.9.8-23

Name	Operator	Version
vesta	eq	0.9.8-19
vesta	eq	0.9.8-26-35
vesta	eq	0.9.8-24
vesta	eq	0.9.8-10
vesta	eq	0.9.8-27
vesta	eq	0.9.8-26-29
vesta	eq	0.9.8-11
vesta	eq	0.9.8-26-33
vesta	eq	0.9.8-18
vesta	eq	0.9.8-23

Rows per page:

1-10 of 231

References

blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html

github.com/myvesta/vesta/commit/7991753ab7c5c568768028fb77554db8ea149f17

github.com/myvesta/vesta/releases/tag/0.9.8-26-43

github.com/serghey-rodin/vesta/commit/a4e4542a6d1351c2857b169f8621dd9a13a2e896

www.exploit-db.com/exploits/49674

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

8.1 High

AI Score

Confidence

Low

0.028 Low

EPSS

Percentile

90.7%

JSON

Related for OSV:CVE-2021-46850