Reflected XSS in Vesta Control Panel Could Lead to Remote Code Execution
CVE-2018-10686

6.1MEDIUM

Key Information:

Vendor: Vestacp
Status: Control Panel
Vendor: CVE Published:; 6 May 2018

What is CVE-2018-10686?

A vulnerability has been identified in Vesta Control Panel version 0.9.8-20 that allows for Reflected Cross-Site Scripting (XSS) attacks. This occurs through the use of the $_REQUEST['path'] parameter in the view/file/index.php URI. Successful exploitation could allow an attacker to execute arbitrary PHP code remotely via certain configurations, specifically through a file_put_contents call located within web/upload/UploadHandler.php. Proper validation and sanitization measures are crucial to mitigate these risks and protect users from potential attacks.

References

https://medium.com/%40ndrbasi/cve-2018-10686-vestacp-rce-...

x_refsource_MISC

https://github.com/serghey-rodin/vesta/issues/1558

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
May 6, 2018
Vulnerability Reserved
May 2, 2018

JSON

Vestacp

What is CVE-2018-10686?

References

CVSS V3.1

Timeline