cbcvebase.

Hestiacp Control Panel vulnerabilities

14 known vulnerabilities affecting hestiacp/control_panel.

Total CVEs
14
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH5MEDIUM8

Vulnerabilities

Page 1 of 1
CVE-2022-2550P2HIGHCVSS 8.8fixed in 1.6.52022-07-27
CVE-2022-2550 [HIGH] CWE-78 CVE-2022-2550: OS Command Injection in GitHub repository hestiacp/hestiacp prior to 1.6.5. OS Command Injection in GitHub repository hestiacp/hestiacp prior to 1.6.5.
nvd
CVE-2022-1509P2HIGHCVSS 8.8fixed in 1.5.122022-04-28
CVE-2022-1509 [HIGH] CWE-77 CVE-2022-1509: Command Injection Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.12. An authentic Command Injection Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.12. An authenticated remote attacker with low privileges can execute arbitrary code under root context.
nvd
CVE-2023-3479P3MEDIUMCVSS 6.1PoCfixed in 1.7.82023-06-30
CVE-2023-3479 [MEDIUM] CWE-79 CVE-2023-3479: Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.7.8. Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.7.8.
nvd
CVE-2022-2636P3HIGHCVSS 8.8fixed in 1.6.62022-08-05
CVE-2022-2636 [HIGH] CWE-94 CVE-2022-2636: Improper Control of Generation of Code ('Code Injection') in GitHub repository hestiacp/hestiacp pri Improper Control of Generation of Code ('Code Injection') in GitHub repository hestiacp/hestiacp prior to 1.6.6.
nvd
CVE-2021-3797P3CRITICALCVSS 9.8≤ 1.4.122021-09-15
CVE-2021-3797 [CRITICAL] CWE-597 CVE-2021-3797: hestiacp is vulnerable to Use of Wrong Operator in String Comparison hestiacp is vulnerable to Use of Wrong Operator in String Comparison
nvd
CVE-2022-2626P3HIGHCVSS 7.2fixed in 1.6.62022-08-05
CVE-2022-2626 [HIGH] CWE-266 CVE-2022-2626: Incorrect Privilege Assignment in GitHub repository hestiacp/hestiacp prior to 1.6.6. Incorrect Privilege Assignment in GitHub repository hestiacp/hestiacp prior to 1.6.6.
nvd
CVE-2023-5839P3HIGHCVSS 7.8fixed in 1.8.92023-10-29
CVE-2023-5839 [HIGH] CWE-268 CVE-2023-5839: Privilege Chaining in GitHub repository hestiacp/hestiacp prior to 1.8.9. Privilege Chaining in GitHub repository hestiacp/hestiacp prior to 1.8.9.
nvd
CVE-2020-10966P4MEDIUMCVSS 6.5fixed in 1.1.12020-03-25
CVE-2020-10966 [MEDIUM] CVE-2020-10966: In the Password Reset Module in VESTA Control Panel through 0.9.8-25 and Hestia Control Panel before In the Password Reset Module in VESTA Control Panel through 0.9.8-25 and Hestia Control Panel before 1.1.1, Host header manipulation leads to account takeover because the victim receives a reset URL containing an attacker-controlled server name.
nvd
CVE-2021-27231P4MEDIUMCVSS 5.4≤ 1.3.52021-02-16
CVE-2021-27231 [MEDIUM] CVE-2021-27231: Hestia Control Panel 1.3.5 and below, in a shared-hosting environment, sometimes allows remote authe Hestia Control Panel 1.3.5 and below, in a shared-hosting environment, sometimes allows remote authenticated users to create a subdomain for a different customer's domain name, leading to spoofing of services or email messages.
nvd
CVE-2022-0838P4MEDIUMCVSS 6.1fixed in 1.5.102022-03-04
CVE-2022-0838 [MEDIUM] CWE-79 CVE-2022-0838: Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.10. Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.10.
nvd
CVE-2022-0752P4MEDIUMCVSS 6.1fixed in 1.5.92022-03-04
CVE-2022-0752 [MEDIUM] CWE-79 CVE-2022-0752: Cross-site Scripting (XSS) - Generic in GitHub repository hestiacp/hestiacp prior to 1.5.9. Cross-site Scripting (XSS) - Generic in GitHub repository hestiacp/hestiacp prior to 1.5.9.
nvd
CVE-2022-0986P4MEDIUMCVSS 6.1fixed in 1.5.112022-03-16
CVE-2022-0986 [MEDIUM] CWE-79 CVE-2022-0986: Reflected Cross-site Scripting (XSS) Vulnerability in GitHub repository hestiacp/hestiacp prior to 1 Reflected Cross-site Scripting (XSS) Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.11.
nvd
CVE-2022-0753P4MEDIUMCVSS 6.1fixed in 1.5.92022-03-03
CVE-2022-0753 [MEDIUM] CWE-79 CVE-2022-0753: Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.9. Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.9.
nvd
CVE-2021-30071P4MEDIUMCVSS 6.1fixed in 1.3.52022-08-18
CVE-2021-30071 [MEDIUM] CWE-79 CVE-2021-30071: A cross-site scripting (XSS) vulnerability in /admin/list_key.html of HestiaCP before v1.3.5 allows A cross-site scripting (XSS) vulnerability in /admin/list_key.html of HestiaCP before v1.3.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
nvd
Hestiacp Control Panel vulnerabilities | cvebase