Lucene search

Control Panel Security Vulnerabilities

cve

CVE-2000-1023

The Alabanza Control Panel does not require passwords to access administrative commands, which allows remote attackers to modify domain name information via the nsManager.cgi CGI program.

6.5AI Score

0.028EPSS

2000-12-11 05:00 AM

cve

CVE-2015-4117

Vesta Control Panel before 0.9.8-14 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the backup parameter to list/backup/index.php.

8.8CVSS

8.7AI Score

0.014EPSS

2018-02-28 10:29 PM

cve

CVE-2018-10686

An issue was discovered in Vesta Control Panel 0.9.8-20. There is Reflected XSS via $_REQUEST['path'] to the view/file/index.php URI, which can lead to remote PHP code execution via vectors involving a file_put_contents call in web/upload/UploadHandler.php.

6.1CVSS

6.3AI Score

0.001EPSS

2018-05-06 05:29 AM

cve

CVE-2018-18547

Vesta Control Panel through 0.9.8-22 has XSS via the edit/web/ domain parameter, the list/backup/ backup parameter, the list/rrd/ period parameter, the list/directory/ dir_a parameter, or the filename to the list/directory/ URI.

6.1CVSS

6AI Score

0.003EPSS

2018-10-24 09:29 PM

cve

CVE-2019-12791

A directory traversal vulnerability in the v-list-user script in Vesta Control Panel 0.9.8-24 allows remote attackers to escalate from regular registered users to root via the password reset form.

8.8CVSS

8.8AI Score

0.007EPSS

2019-08-15 09:15 PM

cve

CVE-2019-12792

A command injection vulnerability in UploadHandler.php in Vesta Control Panel 0.9.8-24 allows remote attackers to escalate from regular registered users to root.

8.8CVSS

8.9AI Score

0.004EPSS

2019-08-15 09:15 PM

cve

CVE-2019-9841

Vesta Control Panel 0.9.8-23 allows XSS via a crafted URL.

6.1CVSS

5.8AI Score

0.001EPSS

2019-04-19 07:29 PM

cve

CVE-2020-10966

In the Password Reset Module in VESTA Control Panel through 0.9.8-25 and Hestia Control Panel before 1.1.1, Host header manipulation leads to account takeover because the victim receives a reset URL containing an attacker-controlled server name.

6.5CVSS

6.4AI Score

0.002EPSS

2020-03-25 11:15 PM

cve

CVE-2021-27231

Hestia Control Panel 1.3.5 and below, in a shared-hosting environment, sometimes allows remote authenticated users to create a subdomain for a different customer's domain name, leading to spoofing of services or email messages.

5.4CVSS

5.2AI Score

0.001EPSS

2021-02-16 04:15 AM

cve

CVE-2021-30071

A cross-site scripting (XSS) vulnerability in /admin/list_key.html of HestiaCP before v1.3.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

6.1CVSS

5.9AI Score

0.001EPSS

2022-08-18 05:15 AM

cve

CVE-2021-30463

VestaCP through 0.9.8-24 allows attackers to gain privileges by creating symlinks to files for which they lack permissions. After reading the RKEY value from user.conf under the /usr/local/vesta/data/users/admin directory, the admin password can be changed via a /reset/?action=confirm&user=admin&co...

7.8CVSS

7.8AI Score

0.0005EPSS

2021-04-08 02:15 PM

cve

CVE-2021-3797

hestiacp is vulnerable to Use of Wrong Operator in String Comparison

9.8CVSS

9.4AI Score

0.003EPSS

2021-09-15 01:15 PM

cve

CVE-2021-46850

myVesta Control Panel before 0.9.8-26-43 and Vesta Control Panel before 0.9.8-26 are vulnerable to command injection. An authenticated and remote administrative user can execute arbitrary commands via the v_sftp_license parameter when sending HTTP POST requests to the /edit/server endpoint.

7.2CVSS

7.5AI Score

0.028EPSS

2022-10-24 02:15 PM

cve

CVE-2022-0752

Cross-site Scripting (XSS) - Generic in GitHub repository hestiacp/hestiacp prior to 1.5.9.

6.1CVSS

6AI Score

0.001EPSS

2022-03-04 12:15 PM

cve

CVE-2022-0753

Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.9.

6.1CVSS

6AI Score

0.001EPSS

2022-03-03 04:15 PM

cve

CVE-2022-0838

Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.10.

6.1CVSS

6AI Score

0.001EPSS

2022-03-04 08:15 AM

cve

CVE-2022-0986

Reflected Cross-site Scripting (XSS) Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.11.

6.1CVSS

6AI Score

0.001EPSS

2022-03-16 01:15 PM

cve

CVE-2022-1509

Sed Injection Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.12. An authenticated remote attacker with low privileges can execute arbitrary code under root context.

8.8CVSS

9AI Score

0.002EPSS

2022-04-28 10:15 AM

cve

CVE-2022-2550

OS Command Injection in GitHub repository hestiacp/hestiacp prior to 1.6.5.

8.8CVSS

8.9AI Score

0.002EPSS

2022-07-27 03:15 PM

cve

CVE-2022-2626

Incorrect Privilege Assignment in GitHub repository hestiacp/hestiacp prior to 1.6.6.

7.2CVSS

7AI Score

0.001EPSS

2022-08-05 09:15 AM

cve

CVE-2022-2636

Improper Control of Generation of Code ('Code Injection') in GitHub repository hestiacp/hestiacp prior to 1.6.6.

8.8CVSS

8.8AI Score

0.001EPSS

2022-08-05 10:15 AM

cve

CVE-2022-3967

A vulnerability, which was classified as critical, was found in Vesta Control Panel. Affected is an unknown function of the file func/main.sh of the component sed Handler. The manipulation leads to argument injection. An attack has to be approached locally. The name of the patch is 39561c32c12cabe5...

7.8CVSS

8AI Score

0.0004EPSS

2022-11-13 08:15 AM

cve

CVE-2023-3479

Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.7.8.

6.1CVSS

5.1AI Score

0.001EPSS

2023-06-30 10:15 AM

cve

CVE-2023-5839

Privilege Chaining in GitHub repository hestiacp/hestiacp prior to 1.8.9.

7.8CVSS

7.9AI Score

0.0004EPSS

2023-10-29 01:15 AM