Vulnerability Details CVE-2020-10966
In the Password Reset Module in VESTA Control Panel through 0.9.8-25 and Hestia Control Panel before 1.1.1, Host header manipulation leads to account takeover because the victim receives a reset URL containing an attacker-controlled server name.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 65.0%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 4.3
References
- https://github.com/hestiacp/hestiacp/issues/748
- https://github.com/hestiacp/hestiacp/releases/tag/1.1.1
- https://github.com/serghey-rodin/vesta/commit/c3c4de43d6701560f604ca7996f717b08e3d7d1d
- https://github.com/hestiacp/hestiacp/issues/748
- https://github.com/hestiacp/hestiacp/releases/tag/1.1.1
- https://github.com/serghey-rodin/vesta/commit/c3c4de43d6701560f604ca7996f717b08e3d7d1d
Products affected by CVE-2020-10966
-
cpe:2.3:a:hestiacp:control_panel:-
-
cpe:2.3:a:hestiacp:control_panel:0.9.8-28
-
cpe:2.3:a:hestiacp:control_panel:1.0.1
-
cpe:2.3:a:hestiacp:control_panel:1.0.3
-
cpe:2.3:a:hestiacp:control_panel:1.0.4
-
cpe:2.3:a:hestiacp:control_panel:1.0.5
-
cpe:2.3:a:hestiacp:control_panel:1.0.6
-
cpe:2.3:a:hestiacp:control_panel:1.00.0-190618
-
cpe:2.3:a:hestiacp:control_panel:1.1.0
-
cpe:2.3:a:vestacp:control_panel:0.9.7-13
-
cpe:2.3:a:vestacp:control_panel:0.9.7-14
-
cpe:2.3:a:vestacp:control_panel:0.9.7-15
-
cpe:2.3:a:vestacp:control_panel:0.9.7-16
-
cpe:2.3:a:vestacp:control_panel:0.9.7-17
-
cpe:2.3:a:vestacp:control_panel:0.9.7-18
-
cpe:2.3:a:vestacp:control_panel:0.9.7-19
-
cpe:2.3:a:vestacp:control_panel:0.9.7-20
-
cpe:2.3:a:vestacp:control_panel:0.9.7-21
-
cpe:2.3:a:vestacp:control_panel:0.9.7-22
-
cpe:2.3:a:vestacp:control_panel:0.9.8-1
-
cpe:2.3:a:vestacp:control_panel:0.9.8-10
-
cpe:2.3:a:vestacp:control_panel:0.9.8-11
-
cpe:2.3:a:vestacp:control_panel:0.9.8-12
-
cpe:2.3:a:vestacp:control_panel:0.9.8-13
-
cpe:2.3:a:vestacp:control_panel:0.9.8-14
-
cpe:2.3:a:vestacp:control_panel:0.9.8-15
-
cpe:2.3:a:vestacp:control_panel:0.9.8-16
-
cpe:2.3:a:vestacp:control_panel:0.9.8-17
-
cpe:2.3:a:vestacp:control_panel:0.9.8-18
-
cpe:2.3:a:vestacp:control_panel:0.9.8-19
-
cpe:2.3:a:vestacp:control_panel:0.9.8-2
-
cpe:2.3:a:vestacp:control_panel:0.9.8-20
-
cpe:2.3:a:vestacp:control_panel:0.9.8-21
-
cpe:2.3:a:vestacp:control_panel:0.9.8-22
-
cpe:2.3:a:vestacp:control_panel:0.9.8-23
-
cpe:2.3:a:vestacp:control_panel:0.9.8-24
-
cpe:2.3:a:vestacp:control_panel:0.9.8-25
-
cpe:2.3:a:vestacp:control_panel:0.9.8-3
-
cpe:2.3:a:vestacp:control_panel:0.9.8-4
-
cpe:2.3:a:vestacp:control_panel:0.9.8-5
-
cpe:2.3:a:vestacp:control_panel:0.9.8-6
-
cpe:2.3:a:vestacp:control_panel:0.9.8-7
-
cpe:2.3:a:vestacp:control_panel:0.9.8-8
-
cpe:2.3:a:vestacp:control_panel:0.9.8-9