In the Password Reset Module in VESTA Control Panel through 0.9.8-25 and Hestia Control Panel before 1.1.1, Host header manipulation leads to account takeover because the victim receives a reset URL containing an attacker-controlled server name.
6.5CVSS
6.4AI Score
0.002EPSS
Hestia Control Panel 1.3.5 and below, in a shared-hosting environment, sometimes allows remote authenticated users to create a subdomain for a different customer's domain name, leading to spoofing of services or email messages.
5.4CVSS
5.2AI Score
0.001EPSS
A cross-site scripting (XSS) vulnerability in /admin/list_key.html of HestiaCP before v1.3.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
6.1CVSS
5.9AI Score
0.001EPSS
9.8CVSS
9.4AI Score
0.003EPSS
Cross-site Scripting (XSS) - Generic in GitHub repository hestiacp/hestiacp prior to 1.5.9.
6.1CVSS
6AI Score
0.001EPSS
Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.9.
6.1CVSS
6AI Score
0.001EPSS
Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.10.
6.1CVSS
6AI Score
0.001EPSS
Reflected Cross-site Scripting (XSS) Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.11.
6.1CVSS
6AI Score
0.001EPSS
Command Injection Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.12. An authenticated remote attacker with low privileges can execute arbitrary code under root context.
9.9CVSS
9.1AI Score
0.002EPSS
8.8CVSS
8.9AI Score
0.002EPSS
Incorrect Privilege Assignment in GitHub repository hestiacp/hestiacp prior to 1.6.6.
7.2CVSS
7AI Score
0.001EPSS
Improper Control of Generation of Code ('Code Injection') in GitHub repository hestiacp/hestiacp prior to 1.6.6.
8.8CVSS
8.8AI Score
0.001EPSS
Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.7.8.
6.1CVSS
5.1AI Score
0.001EPSS
7.8CVSS
7.9AI Score
0.0004EPSS