#VU66179 Incorrect Privilege Assignment in Hestia Control Panel


Published: 2022-08-08

Vulnerability identifier: #VU66179

Vulnerability risk: Low

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-2626

CWE-ID: CWE-266

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Hestia Control Panel
Client/Desktop applications / Other client software

Vendor: Hestia Control Panel

Description

The vulnerability allows a remote administrator to escalate privileges on the system.

The vulnerability exists due to incorrect permission assignment in Ubuntu, which leads to security restrictions bypass and privilege escalation.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Hestia Control Panel: 1.0.1 - 1.6.5

External links
http://github.com/hestiacp/hestiacp/commit/b178b9719bb2c98cf8a6db70065086f596afad81
http://huntr.dev/bounties/704aacc9-edff-4da5-90a6-4adf8dbf36fe

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Hestia Control Panel