CVE-2019-9859

Name of the Vulnerable Software and Affected Versions Vesta Control Panel (VestaCP) versions 0.9.7 through 0.9.8-23

Description The issue concerns an authenticated command execution that can result in remote root access on the server. VestaCP uses PHP as the frontend language and shell scripts to execute system actions, with PHP executing shell scripts through the exec function. This function can be dangerous if arguments passed to it are not filtered. Although VestaCP filters user input with the escapeshellarg function, which adds single quotes around a string and quotes/escapes any existing single quotes, it uses this function incorrectly in several places.

Recommendations For Vesta Control Panel (VestaCP) versions 0.9.7 through 0.9.8-23, consider disabling the exec function until a patch is available to prevent exploitation. Restrict access to shell scripts to minimize the risk of exploitation. Avoid using user input as arguments for the exec function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.