CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-10686
https://notcve.org/view.php?id=CVE-2018-10686
An issue was discovered in Vesta Control Panel 0.9.8-20. There is Reflected XSS via $_REQUEST['path'] to the view/file/index.php URI, which can lead to remote PHP code execution via vectors involving a file_put_contents call in web/upload/UploadHandler.php. Se ha descubierto un problema en Vesta Control Panel 0.9.8-20. Hay Cross-Site Scripting (XSS) reflejado mediante $_REQUEST['path'] en el URI view/file/index.php que puede conducir a la ejecución de código PHP remoto por medio de vectores relacionados con una llamada file_put_contents en web/upload/UploadHandler.php. • https://github.com/serghey-rodin/vesta/issues/1558 https://medium.com/%40ndrbasi/cve-2018-10686-vestacp-rce-d96d95c2bde2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-2861
https://notcve.org/view.php?id=CVE-2015-2861
Cross-site request forgery (CSRF) vulnerability in Vesta Control Panel before 0.9.8-14 allows remote attackers to hijack the authentication of arbitrary users. Vulnerabilidad de CSRF en Vesta Control Panel anterior a 0.9.8-14 permite a atacantes remotos secuestrar la autenticación de usuarios arbitrarios. • http://vestacp.com/roadmap/#history http://www.kb.cert.org/vuls/id/842780 http://www.securityfocus.com/bid/75215 https://github.com/serghey-rodin/vesta/commit/527e4a9a62204be9b34c1338fadfe959b0fd3974 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 1CVE-2015-4117 – Vesta Control Panel 0.9.8 - OS Command Injection
https://notcve.org/view.php?id=CVE-2015-4117
Vesta Control Panel before 0.9.8-14 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the backup parameter to list/backup/index.php. Vesta Control Panel en versiones anteriores a la 0.9.8-14 permite que usuarios autenticados remotos ejecuten comandos mediante metacaracteres shell en el parámetro backup en list/backup/index.php. Vesta Control Panel version 0.9.8 suffers from an OS command injection vulnerability. • https://www.exploit-db.com/exploits/37369 http://vestacp.com/roadmap/#history https://www.htbridge.com/advisory/HTB23261 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •