Multiple vulnerabilities in Hestia Control Panel
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2022-2636 CVE-2022-2626 |
| CWE-ID | CWE-20 CWE-266 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software Subscribe |
Hestia Control Panel Client/Desktop applications / Other client software |
| Vendor | Hestia Control Panel |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU66178
Risk: Medium
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2022-2636
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to insufficient validation of user-supplied input in v-add-web-domain-redirect. A remote user can pass specially crafted input to the application and gain elevated privileges on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsHestia Control Panel: 1.0.1 - 1.6.5
External linkshttp://huntr.dev/bounties/357c0390-631c-4684-b6e1-a6d8b2453d66
http://github.com/hestiacp/hestiacp/commit/b178b9719bb2c98cf8a6db70065086f596afad81
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Incorrect Privilege Assignment
EUVDB-ID: #VU66179
Risk: Low
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-2626
CWE-ID:
CWE-266 - Incorrect Privilege Assignment
Exploit availability: No
DescriptionThe vulnerability allows a remote administrator to escalate privileges on the system.
The vulnerability exists due to incorrect permission assignment in Ubuntu, which leads to security restrictions bypass and privilege escalation.
MitigationInstall updates from vendor's website.
Vulnerable software versionsHestia Control Panel: 1.0.1 - 1.6.5
External linkshttp://github.com/hestiacp/hestiacp/commit/b178b9719bb2c98cf8a6db70065086f596afad81
http://huntr.dev/bounties/704aacc9-edff-4da5-90a6-4adf8dbf36fe
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
