CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0753 – Cross-site Scripting (XSS) - Reflected in hestiacp/hestiacp
https://notcve.org/view.php?id=CVE-2022-0753
Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.9. Una vulnerabilidad de tipo Cross-site Scripting (XSS) - Reflejado en el repositorio GitHub hestiacp/hestiacp versiones anteriores a 1.5.9 • https://github.com/hestiacp/hestiacp/commit/ee10e2275139684fc9a2d32169d0da702cea5ad2 https://huntr.dev/bounties/8ce4b776-1c53-45ec-bc5f-783077e2d324 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-3797 – Use of Wrong Operator in String Comparison in hestiacp/hestiacp
https://notcve.org/view.php?id=CVE-2021-3797
hestiacp is vulnerable to Use of Wrong Operator in String Comparison hestiacp es vulnerable al uso de un Operador Incorrecto en la Comparación de Cadenas • https://github.com/hestiacp/hestiacp/commit/fc68baff4f94b59e38316f886d0ce47d337042f7 https://huntr.dev/bounties/c24fb15c-3c84-45c8-af04-a660f8da388f • CWE-597: Use of Wrong Operator in String Comparison •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-27231
https://notcve.org/view.php?id=CVE-2021-27231
Hestia Control Panel 1.3.5 and below, in a shared-hosting environment, sometimes allows remote authenticated users to create a subdomain for a different customer's domain name, leading to spoofing of services or email messages. Hestia Control Panel versión 1.3.5 e inferiores, en un ambiente de hosting compartido, a veces permite a usuarios autenticados remotos crear un subdominio para un nombre de dominio de un cliente diferente, conllevando a una suplantación de servicios o de mensajes de correo electrónico • https://github.com/hestiacp/hestiacp/issues/1622 https://github.com/sickcodes/security/blob/master/advisories/sick-2021-006.md https://sick.codes/sick-2021-006 https://www.hestiacp.com •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2020-10966
https://notcve.org/view.php?id=CVE-2020-10966
In the Password Reset Module in VESTA Control Panel through 0.9.8-25 and Hestia Control Panel before 1.1.1, Host header manipulation leads to account takeover because the victim receives a reset URL containing an attacker-controlled server name. En el Password Reset Module en VESTA Control Panel versiones hasta 0.9.8-25 y Hestia Control Panel versiones hasta 1.1.0, la manipulación del encabezado Host conlleva a la toma de control de la cuenta porque la víctima recibe un URL de restablecimiento que contiene un nombre de servidor controlado por el atacante. • https://github.com/hestiacp/hestiacp/issues/748 https://github.com/hestiacp/hestiacp/releases/tag/1.1.1 https://github.com/serghey-rodin/vesta/commit/c3c4de43d6701560f604ca7996f717b08e3d7d1d •