CVE-2020-10966

Name of the Vulnerable Software and Affected Versions VESTA Control Panel versions 0.9.8-25 and earlier Hestia Control Panel versions prior to 1.1.1

Description The issue allows for account takeover through Host header manipulation in the Password Reset Module. This occurs because the victim receives a reset URL containing an attacker-controlled server name, enabling the attacker to take control of the account.

Recommendations For VESTA Control Panel versions 0.9.8-25 and earlier, update to a version later than 0.9.8-25 to resolve the issue. For Hestia Control Panel versions prior to 1.1.1, update to version 1.1.1 or later to fix the problem. As a temporary workaround, consider restricting access to the Password Reset Module until a patch is available.