Vestacp Vesta Control Panel 0.9.8-24

CPE Details

Vestacp Vesta Control Panel 0.9.8-24
vestacp
vesta_control_panel
0.9.8-24
2019-06-18
15h10 +00:00
2019-06-18
15h10 +00:00
CPE NVD
Alerte pour un CPE
Restez informé de toutes modifications pour un CPE spécifique.
Gestion des notifications

CPE Name: cpe:2.3:a:vestacp:vesta_control_panel:0.9.8-24:*:*:*:*:*:*:*

Informations

Vendor

vestacp

Product

vesta_control_panel

Version

0.9.8-24

Related CVE

Open and find in CVE List

CVE ID Publié Description Score Gravité
CVE-2021-46850 2022-10-24 00h00 +00:00 myVesta Control Panel before 0.9.8-26-43 and Vesta Control Panel before 0.9.8-26 are vulnerable to command injection. An authenticated and remote administrative user can execute arbitrary commands via the v_sftp_license parameter when sending HTTP POST requests to the /edit/server endpoint.
7.2
Haute
CVE-2021-43693 2021-11-29 13h13 +00:00 vesta 0.9.8-24 is affected by a file inclusion vulnerability in file web/add/user/index.php.
9.8
Critique
CVE-2021-30462 2021-04-08 11h54 +00:00 VestaCP through 0.9.8-24 allows the admin user to escalate privileges to root because the Sudo configuration does not require a password to run /usr/local/vesta/bin scripts.
7.2
Haute
CVE-2021-28379 2021-03-15 04h56 +00:00 web/upload/UploadHandler.php in Vesta Control Panel (aka VestaCP) through 0.9.8-27 and myVesta through 0.9.8-26-39 allows uploads from a different origin.
8.8
Haute
CVE-2020-10787 2020-04-21 14h54 +00:00 An elevation of privilege in Vesta Control Panel through 0.9.8-26 allows an attacker to gain root system access from the admin account via v-change-user-password (aka the user password change script).
8.8
Haute
CVE-2020-10786 2020-04-21 14h54 +00:00 A remote command execution in Vesta Control Panel through 0.9.8-26 allows any authenticated user to execute arbitrary commands on the system via cron jobs.
8.8
Haute
CVE-2020-10808 2020-03-22 15h07 +00:00 Vesta Control Panel (VestaCP) through 0.9.8-26 allows Command Injection via the schedule/backup Backup Listing Endpoint. The attacker must be able to create a crafted filename on the server, as demonstrated by an FTP session that renames .bash_logout to a .bash_logout' substring followed by shell metacharacters.
8.8
Haute
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC) sont maintenues par MITRE Corporation, et les informations sur les configurations logicielles et matérielles (CPE) proviennent du NVD.