CVE-2020-10808

Name of the Vulnerable Software and Affected Versions Vesta Control Panel (VestaCP) versions 0.9.8-26 and earlier

Description The issue allows Command Injection via the "schedule/backup Backup Listing Endpoint". An attacker must be able to create a crafted filename on the server. This can be demonstrated by an FTP session that renames .bash logout to a .bash logout substring followed by shell metacharacters.

Recommendations For versions 0.9.8-26 and earlier, as a temporary workaround, consider restricting access to the schedule/backup Backup Listing Endpoint until a patch is available. Avoid using crafted filenames on the server to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.