Authenticated Command Execution Vulnerability in Vesta Control Panel by VestaCP
CVE-2019-9859

8.8HIGH

Key Information:

Vendor: Vestacp
Status: Vesta Control Panel
Vendor: CVE Published:; 10 March 2020

What is CVE-2019-9859?

The Vesta Control Panel (VestaCP) versions 0.9.7 through 0.9.8-23 are vulnerable to an authenticated command execution flaw that can allow attackers to gain remote root access. This occurs through improper handling of user inputs when executing shell commands, specifically via the PHP exec function. Although the escapeshellarg function is intended to secure user inputs by wrapping strings in quotes, it has been misapplied in several instances within VestaCP. This misconfiguration can lead to potential exploitation, making it critically important for users of these versions to apply appropriate security measures.

References

https://ssd-disclosure.com/?p=3926

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 10, 2020
Vulnerability Reserved
Mar 18, 2019

JSON

Vestacp

What is CVE-2019-9859?

References

CVSS V3.1

Timeline