PT-2018-10053 · Vesta · Vesta Control Panel
R0Xen
·
Published
2018-05-06
·
Updated
2018-06-12
·
CVE-2018-10686
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Vesta Control Panel version 0.9.8-20
Description
An issue was discovered that allows for Reflected XSS via the
path variable in the view/file/index.php URI. This can potentially lead to remote PHP code execution through vectors involving a file put contents call in web/upload/UploadHandler.php.Recommendations
For Vesta Control Panel version 0.9.8-20, consider restricting access to the
view/file/index.php URI and limiting the use of the file put contents function in web/upload/UploadHandler.php to minimize the risk of exploitation. Additionally, validate and sanitize the path variable to prevent XSS attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vesta Control Panel