CVE-2022-3967 – Vesta Control Panel sed main.sh argument injection
https://notcve.org/view.php?id=CVE-2022-3967
A vulnerability, which was classified as critical, was found in Vesta Control Panel. Affected is an unknown function of the file func/main.sh of the component sed Handler. The manipulation leads to argument injection. An attack has to be approached locally. The name of the patch is 39561c32c12cabe563de48cc96eccb9e2c655e25. • https://github.com/serghey-rodin/vesta/commit/39561c32c12cabe563de48cc96eccb9e2c655e25 https://vuldb.com/?id.213546 • CWE-707: Improper Neutralization •
CVE-2021-46850
https://notcve.org/view.php?id=CVE-2021-46850
myVesta Control Panel before 0.9.8-26-43 and Vesta Control Panel before 0.9.8-26 are vulnerable to command injection. An authenticated and remote administrative user can execute arbitrary commands via the v_sftp_license parameter when sending HTTP POST requests to the /edit/server endpoint. myVesta Control Panel versiones anteriores a 0.9.8-26-43 y Vesta Control Panel versiones anteriores a 0.9.8-26, son vulnerables a una inyección de comandos. Un usuario administrativo autenticado y remoto puede ejecutar comandos arbitrarios por medio del parámetro v_sftp_license cuando envía peticiones HTTP POST al endpoint /edit/server • https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html https://github.com/myvesta/vesta/commit/7991753ab7c5c568768028fb77554db8ea149f17 https://github.com/myvesta/vesta/releases/tag/0.9.8-26-43 https://github.com/serghey-rodin/vesta/commit/a4e4542a6d1351c2857b169f8621dd9a13a2e896 https://www.exploit-db.com/exploits/49674 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVE-2022-36305
https://notcve.org/view.php?id=CVE-2022-36305
Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) vulnerability via the body function at /web/api/v1/upload/UploadHandler.php. Se ha detectado que Vesta versión v1.0.0-5, contiene una vulnerabilidad de scripting entre sitios (XSS) por medio de la función body en el archivo /web/api/v1/upload/UploadHandler.php. • https://github.com/serghey-rodin/vesta/issues/2252 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-36304
https://notcve.org/view.php?id=CVE-2022-36304
Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) vulnerability via the generate_response function at /web/api/v1/upload/UploadHandler.php. Se ha detectado que Vesta versión v1.0.0-5, contiene una vulnerabilidad de tipo cross-site scripting, por medio de la función generate_response en el archivo /web/api/v1/upload/UploadHandler.php. • https://github.com/serghey-rodin/vesta/issues/2252 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-36303
https://notcve.org/view.php?id=CVE-2022-36303
Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) vulnerability via the handle_file_upload function at /web/api/v1/upload/UploadHandler.php. Se ha detectado que Vesta versión v1.0.0-5, contiene una vulnerabilidad de tipo cross-site scripting, por medio de la función handle_file_upload en el archivo /web/api/v1/upload/UploadHandler.php. • https://github.com/serghey-rodin/vesta/issues/2252 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •