PT-2018-9600 · Vesta · Vestacp

Published

2018-12-20

Updated

2020-08-24

CVE-2018-1000884

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Vesta CP versions prior to 0.9.8-18

Description: The issue is related to a timing discrepancy in the password reset code, located in the web/reset/index.php file, line 51. This can potentially allow an attacker to determine password reset codes and change the administrator's password. The attack is exploitable via unauthenticated network connectivity.

Recommendations: For versions prior to 0.9.8-18, update to version 0.9.8-19 or later to resolve the issue. As a temporary workaround, consider restricting access to the password reset functionality until the update is applied.

Fix

Side Channel Attack

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-203

Related Identifiers

CVE-2018-1000884

Affected Products

Vestacp

PT-2018-9600 · Vesta · Vestacp

CVE-2018-1000884

Weakness Enumeration

Related Identifiers

Affected Products

References · 3