CVE-2022-1509
published 2022-04-28CVE-2022-1509: Command Injection Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.12. An authenticated remote attacker with low privileges can execute…
PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
4.46%
90.2th percentile
Command Injection Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.12. An authenticated remote attacker with low privileges can execute arbitrary code under root context.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hestiacp | control_panel | < 1.5.12 | 1.5.12 |
| hestiacp | hestiacp_hestiacp | >= unspecified < 1.5.12 | 1.5.12 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
CWE
Improper Neutralization of Special Elements used in a Command ('Command Injection')
mitre_cwe
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Many protocols and products have their own custom command language. While OS or shell command strings are frequently discovered and targeted, developers may not realize that these other command languages might also be vulnerable to attacks.
Modes of Introduction:
Phase: Implementation
Note: Command injection vulnerabilities typically occur when: Data enters the application from an untrusted source. The data is part of a string that is exe
CWE
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
mitre_cwe
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Modes of Introduction:
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Common Consequences:
Scope: Confidentiality. Impact: Read Application Data. Many injection attacks involve the disclosure of important information -- in terms of both data sensitivity and usefulness in further exploitation.
Scope: Access Cont
2022-04-28
Published