CVSS: 7.2EPSS: 6%CPEs: 2EXPL: 2CVE-2021-46850
https://notcve.org/view.php?id=CVE-2021-46850
myVesta Control Panel before 0.9.8-26-43 and Vesta Control Panel before 0.9.8-26 are vulnerable to command injection. An authenticated and remote administrative user can execute arbitrary commands via the v_sftp_license parameter when sending HTTP POST requests to the /edit/server endpoint. myVesta Control Panel versiones anteriores a 0.9.8-26-43 y Vesta Control Panel versiones anteriores a 0.9.8-26, son vulnerables a una inyección de comandos. Un usuario administrativo autenticado y remoto puede ejecutar comandos arbitrarios por medio del parámetro v_sftp_license cuando envía peticiones HTTP POST al endpoint /edit/server • https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html https://github.com/myvesta/vesta/commit/7991753ab7c5c568768028fb77554db8ea149f17 https://github.com/myvesta/vesta/releases/tag/0.9.8-26-43 https://github.com/serghey-rodin/vesta/commit/a4e4542a6d1351c2857b169f8621dd9a13a2e896 https://www.exploit-db.com/exploits/49674 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-36305
https://notcve.org/view.php?id=CVE-2022-36305
Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) vulnerability via the body function at /web/api/v1/upload/UploadHandler.php. Se ha detectado que Vesta versión v1.0.0-5, contiene una vulnerabilidad de scripting entre sitios (XSS) por medio de la función body en el archivo /web/api/v1/upload/UploadHandler.php. • https://github.com/serghey-rodin/vesta/issues/2252 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-36304
https://notcve.org/view.php?id=CVE-2022-36304
Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) vulnerability via the generate_response function at /web/api/v1/upload/UploadHandler.php. Se ha detectado que Vesta versión v1.0.0-5, contiene una vulnerabilidad de tipo cross-site scripting, por medio de la función generate_response en el archivo /web/api/v1/upload/UploadHandler.php. • https://github.com/serghey-rodin/vesta/issues/2252 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-36303
https://notcve.org/view.php?id=CVE-2022-36303
Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) vulnerability via the handle_file_upload function at /web/api/v1/upload/UploadHandler.php. Se ha detectado que Vesta versión v1.0.0-5, contiene una vulnerabilidad de tipo cross-site scripting, por medio de la función handle_file_upload en el archivo /web/api/v1/upload/UploadHandler.php. • https://github.com/serghey-rodin/vesta/issues/2252 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-34025
https://notcve.org/view.php?id=CVE-2022-34025
Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) vulnerability via the post function at /web/api/v1/upload/UploadHandler.php. Se ha detectado que Vesta versión v1.0.0-5, contiene una vulnerabilidad de tipo cross-site scripting, por medio de la función post en el archivo /web/api/v1/upload/UploadHandler.php. • https://github.com/serghey-rodin/vesta/issues/2252 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •