CVE-2021-46850
published 2022-10-24CVE-2021-46850: myVesta Control Panel before 0.9.8-26-43 and Vesta Control Panel before 0.9.8-26 are vulnerable to command injection. An authenticated and remote…
PriorityP278high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
5.24%
91.5th percentile
myVesta Control Panel before 0.9.8-26-43 and Vesta Control Panel before 0.9.8-26 are vulnerable to command injection. An authenticated and remote administrative user can execute arbitrary commands via the v_sftp_license parameter when sending HTTP POST requests to the /edit/server endpoint.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vestacp | control_panel | < 0.9.8-26-43 | 0.9.8-26-43 |
| vestacp | vesta_control_panel | < 0.9.8-26 | 0.9.8-26 |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ffhx-6p84-463h: myVesta Control Panel before 0
ghsa_unreviewed·2022-10-24
CVE-2021-46850 [HIGH] CWE-77 GHSA-ffhx-6p84-463h: myVesta Control Panel before 0
myVesta Control Panel before 0.9.8-26-43 and Vesta Control Panel before 0.9.8-26 are vulnerable to command injection. An authenticated and remote administrative user can execute arbitrary commands via the v_sftp_license parameter when sending HTTP POST requests to the /edit/server endpoint.
VulnCheck
vestacp control_panel Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
vulncheck·2021·CVSS 7.2
CVE-2021-46850 [HIGH] vestacp control_panel Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
vestacp control_panel Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
myVesta Control Panel before 0.9.8-26-43 and Vesta Control Panel before 0.9.8-26 are vulnerable to command injection. An authenticated and remote administrative user can execute arbitrary commands via the v_sftp_license parameter when sending HTTP POST requests to the /edit/server endpoint.
Affected: vestacp control_panel
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.htmlhttps://github.com/myvesta/vesta/commit/7991753ab7c5c568768028fb77554db8ea149f17https://github.com/myvesta/vesta/releases/tag/0.9.8-26-43https://github.com/serghey-rodin/vesta/commit/a4e4542a6d1351c2857b169f8621dd9a13a2e896https://www.exploit-db.com/exploits/49674https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.htmlhttps://github.com/myvesta/vesta/commit/7991753ab7c5c568768028fb77554db8ea149f17https://github.com/myvesta/vesta/releases/tag/0.9.8-26-43https://github.com/serghey-rodin/vesta/commit/a4e4542a6d1351c2857b169f8621dd9a13a2e896https://www.exploit-db.com/exploits/49674
2022-10-24
Published
Exploited in the wild