CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5839 – Privilege Chaining in hestiacp/hestiacp
https://notcve.org/view.php?id=CVE-2023-5839
Privilege Chaining in GitHub repository hestiacp/hestiacp prior to 1.8.9. Encadenamiento de privilegios en el repositorio de GitHub hestiacp/hestiacp antes de 1.8.9. • https://github.com/hestiacp/hestiacp/commit/acb766e1db53de70534524b3fbc2270689112630 https://huntr.com/bounties/21125f12-64a0-42a3-b218-26b9945a5bc0 • CWE-268: Privilege Chaining •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3479 – Cross-site Scripting (XSS) - Reflected in hestiacp/hestiacp
https://notcve.org/view.php?id=CVE-2023-3479
Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.7.8. • https://github.com/hestiacp/hestiacp/commit/2326aa525a7ba14513af783f29cb5e62a476e67a https://huntr.dev/bounties/6ac5cf87-6350-4645-8930-8f2876427723 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-3967 – Vesta Control Panel sed main.sh argument injection
https://notcve.org/view.php?id=CVE-2022-3967
A vulnerability, which was classified as critical, was found in Vesta Control Panel. Affected is an unknown function of the file func/main.sh of the component sed Handler. The manipulation leads to argument injection. An attack has to be approached locally. The name of the patch is 39561c32c12cabe563de48cc96eccb9e2c655e25. • https://github.com/serghey-rodin/vesta/commit/39561c32c12cabe563de48cc96eccb9e2c655e25 https://vuldb.com/?id.213546 • CWE-707: Improper Neutralization •
CVSS: 7.2EPSS: 6%CPEs: 2EXPL: 2CVE-2021-46850
https://notcve.org/view.php?id=CVE-2021-46850
myVesta Control Panel before 0.9.8-26-43 and Vesta Control Panel before 0.9.8-26 are vulnerable to command injection. An authenticated and remote administrative user can execute arbitrary commands via the v_sftp_license parameter when sending HTTP POST requests to the /edit/server endpoint. myVesta Control Panel versiones anteriores a 0.9.8-26-43 y Vesta Control Panel versiones anteriores a 0.9.8-26, son vulnerables a una inyección de comandos. Un usuario administrativo autenticado y remoto puede ejecutar comandos arbitrarios por medio del parámetro v_sftp_license cuando envía peticiones HTTP POST al endpoint /edit/server • https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html https://github.com/myvesta/vesta/commit/7991753ab7c5c568768028fb77554db8ea149f17 https://github.com/myvesta/vesta/releases/tag/0.9.8-26-43 https://github.com/serghey-rodin/vesta/commit/a4e4542a6d1351c2857b169f8621dd9a13a2e896 https://www.exploit-db.com/exploits/49674 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-30071
https://notcve.org/view.php?id=CVE-2021-30071
A cross-site scripting (XSS) vulnerability in /admin/list_key.html of HestiaCP before v1.3.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. Una vulnerabilidad de tipo cross-site scripting (XSS) en el archivo /admin/list_key.html de HestiaCP versiones anteriores a v1.3.5, permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de una carga útil diseñada. • https://github.com/hestiacp/hestiacp/commit/706314c12872c7607e96a73dfc77dbbddad2875e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •