CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-27231
https://notcve.org/view.php?id=CVE-2021-27231
Hestia Control Panel 1.3.5 and below, in a shared-hosting environment, sometimes allows remote authenticated users to create a subdomain for a different customer's domain name, leading to spoofing of services or email messages. Hestia Control Panel versión 1.3.5 e inferiores, en un ambiente de hosting compartido, a veces permite a usuarios autenticados remotos crear un subdominio para un nombre de dominio de un cliente diferente, conllevando a una suplantación de servicios o de mensajes de correo electrónico • https://github.com/hestiacp/hestiacp/issues/1622 https://github.com/sickcodes/security/blob/master/advisories/sick-2021-006.md https://sick.codes/sick-2021-006 https://www.hestiacp.com •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2020-10966
https://notcve.org/view.php?id=CVE-2020-10966
In the Password Reset Module in VESTA Control Panel through 0.9.8-25 and Hestia Control Panel before 1.1.1, Host header manipulation leads to account takeover because the victim receives a reset URL containing an attacker-controlled server name. En el Password Reset Module en VESTA Control Panel versiones hasta 0.9.8-25 y Hestia Control Panel versiones hasta 1.1.0, la manipulación del encabezado Host conlleva a la toma de control de la cuenta porque la víctima recibe un URL de restablecimiento que contiene un nombre de servidor controlado por el atacante. • https://github.com/hestiacp/hestiacp/issues/748 https://github.com/hestiacp/hestiacp/releases/tag/1.1.1 https://github.com/serghey-rodin/vesta/commit/c3c4de43d6701560f604ca7996f717b08e3d7d1d •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2018-18547 – VestaCP 0.9.8-22 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-18547
Vesta Control Panel through 0.9.8-22 has XSS via the edit/web/ domain parameter, the list/backup/ backup parameter, the list/rrd/ period parameter, the list/directory/ dir_a parameter, or the filename to the list/directory/ URI. Vesta Control Panel hasta la versión 0.9.8-22 tiene Cross-Site Scripting (XSS) mediante el parámetro domain en edit/web/, el parámetro backup en list/backup/, el parámetro period en list/rrd/, el parámetro dir_a en list/directory/ o el nombre de archivo en el URI list/directory/. VestaCP versions 0.9.8-22 and below suffer from multiple cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/149897/VestaCP-0.9.8-22-Cross-Site-Scripting.html https://numanozdemir.com/vesta-vulns.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 1CVE-2015-4117 – Vesta Control Panel 0.9.8 - OS Command Injection
https://notcve.org/view.php?id=CVE-2015-4117
Vesta Control Panel before 0.9.8-14 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the backup parameter to list/backup/index.php. Vesta Control Panel en versiones anteriores a la 0.9.8-14 permite que usuarios autenticados remotos ejecuten comandos mediante metacaracteres shell en el parámetro backup en list/backup/index.php. Vesta Control Panel version 0.9.8 suffers from an OS command injection vulnerability. • https://www.exploit-db.com/exploits/37369 http://vestacp.com/roadmap/#history https://www.htbridge.com/advisory/HTB23261 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 2%CPEs: 1EXPL: 2CVE-2000-1023 – Alabanza Control Panel 3.0 - Domain Modification
https://notcve.org/view.php?id=CVE-2000-1023
The Alabanza Control Panel does not require passwords to access administrative commands, which allows remote attackers to modify domain name information via the nsManager.cgi CGI program. • https://www.exploit-db.com/exploits/20238 http://www.securityfocus.com/archive/1/84766 http://www.securityfocus.com/bid/1710 https://exchange.xforce.ibmcloud.com/vulnerabilities/5284 •