CVE-2018-10686
https://notcve.org/view.php?id=CVE-2018-10686
An issue was discovered in Vesta Control Panel 0.9.8-20. There is Reflected XSS via $_REQUEST['path'] to the view/file/index.php URI, which can lead to remote PHP code execution via vectors involving a file_put_contents call in web/upload/UploadHandler.php. Se ha descubierto un problema en Vesta Control Panel 0.9.8-20. Hay Cross-Site Scripting (XSS) reflejado mediante $_REQUEST['path'] en el URI view/file/index.php que puede conducir a la ejecución de código PHP remoto por medio de vectores relacionados con una llamada file_put_contents en web/upload/UploadHandler.php. • https://github.com/serghey-rodin/vesta/issues/1558 https://medium.com/%40ndrbasi/cve-2018-10686-vestacp-rce-d96d95c2bde2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2000-1023 – Alabanza Control Panel 3.0 - Domain Modification
https://notcve.org/view.php?id=CVE-2000-1023
The Alabanza Control Panel does not require passwords to access administrative commands, which allows remote attackers to modify domain name information via the nsManager.cgi CGI program. • https://www.exploit-db.com/exploits/20238 http://www.securityfocus.com/archive/1/84766 http://www.securityfocus.com/bid/1710 https://exchange.xforce.ibmcloud.com/vulnerabilities/5284 •