Divinity76

**Name of the Vulnerable Software and Affected Versions** HestiaCP versions 1.9.0 through 1.9.4 **Description** A deserialization issue exists in the web terminal component due to a session format mismatch between PHP and Node.js. This allows unauthenticated remote attackers to achieve root-level code execution by injecting crafted data into HTTP headers. These headers are processed by the PHP session handler and incorrectly deserialized by the Node.js web terminal component as trusted session values, leading to arbitrary command execution on systems where the web terminal feature is enabled. **Recommendations** Update HestiaCP versions 1.9.0 through 1.9.4 to a patched version. As a temporary workaround, disable the web terminal feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** HestiaCP versions 1.2.0 through 1.9.4 **Description** An IP spoofing issue allows unauthenticated remote attackers to bypass authentication security controls. This occurs when the system accepts an arbitrary IP address provided in the 'CF-Connecting-IP' HTTP header without verifying that the request actually originated from the Cloudflare network. Exploitation enables attackers to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses. **Recommendations** Update HestiaCP to a version later than 1.9.4. As a temporary mitigation, restrict access to the control panel or configure the server to only accept 'CF-Connecting-IP' headers from verified Cloudflare IP ranges.

**Name of the Vulnerable Software and Affected Versions** Chrome PHP versions prior to 1.14.0 **Description** The issue arises from CSS Selector expressions not being properly encoded, leading to potential cross-site scripting (XSS) vulnerabilities. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** For versions prior to 1.14.0, consider upgrading to version 1.14.0 or later. As a temporary workaround, users can apply encoding manually to their CSS Selector expressions if they are unable to upgrade.