CVE-2020-10808
Summary
| CVE | CVE-2020-10808 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2020-03-22 17:15:00 UTC |
|---|
| Updated | 2023-02-03 19:29:00 UTC |
|---|
| Description | Vesta Control Panel (VestaCP) through 0.9.8-26 allows Command Injection via the schedule/backup Backup Listing Endpoint. The attacker must be able to create a crafted filename on the server, as demonstrated by an FTP session that renames .bash_logout to a .bash_logout' substring followed by shell metacharacters. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| Adding Vesta Control Panel Remote Code Execution 0day by mdisec · Pull Request #13094 · rapid7/metasploit-framework · GitHub |
MISC |
github.com |
Patch, Third Party Advisory |
| Vesta Control Panel - Forum • View forum - Updates |
MISC |
forum.vestacp.com |
Release Notes, Vendor Advisory |
| Vesta Control Panel Second Order Remote Code Execution 0day Step-by-Step Analysis – Pentest Blog |
MISC |
pentest.blog |
Exploit, Third Party Advisory |
| Vesta Control Panel Authenticated Remote Code Execution ≈ Packet Storm |
MISC |
packetstormsecurity.com |
|
| Vesta Control Panel Authenticated Remote Code Execution ≈ Packet Storm |
MISC |
packetstormsecurity.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 376675 Vesta Control Panel Command Injection Vulnerability
