CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2018-18547 – VestaCP 0.9.8-22 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-18547
Vesta Control Panel through 0.9.8-22 has XSS via the edit/web/ domain parameter, the list/backup/ backup parameter, the list/rrd/ period parameter, the list/directory/ dir_a parameter, or the filename to the list/directory/ URI. Vesta Control Panel hasta la versión 0.9.8-22 tiene Cross-Site Scripting (XSS) mediante el parámetro domain en edit/web/, el parámetro backup en list/backup/, el parámetro period en list/rrd/, el parámetro dir_a en list/directory/ o el nombre de archivo en el URI list/directory/. VestaCP versions 0.9.8-22 and below suffer from multiple cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/149897/VestaCP-0.9.8-22-Cross-Site-Scripting.html https://numanozdemir.com/vesta-vulns.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-10686
https://notcve.org/view.php?id=CVE-2018-10686
An issue was discovered in Vesta Control Panel 0.9.8-20. There is Reflected XSS via $_REQUEST['path'] to the view/file/index.php URI, which can lead to remote PHP code execution via vectors involving a file_put_contents call in web/upload/UploadHandler.php. Se ha descubierto un problema en Vesta Control Panel 0.9.8-20. Hay Cross-Site Scripting (XSS) reflejado mediante $_REQUEST['path'] en el URI view/file/index.php que puede conducir a la ejecución de código PHP remoto por medio de vectores relacionados con una llamada file_put_contents en web/upload/UploadHandler.php. • https://github.com/serghey-rodin/vesta/issues/1558 https://medium.com/%40ndrbasi/cve-2018-10686-vestacp-rce-d96d95c2bde2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 2%CPEs: 1EXPL: 2CVE-2000-1023 – Alabanza Control Panel 3.0 - Domain Modification
https://notcve.org/view.php?id=CVE-2000-1023
The Alabanza Control Panel does not require passwords to access administrative commands, which allows remote attackers to modify domain name information via the nsManager.cgi CGI program. • https://www.exploit-db.com/exploits/20238 http://www.securityfocus.com/archive/1/84766 http://www.securityfocus.com/bid/1710 https://exchange.xforce.ibmcloud.com/vulnerabilities/5284 •