hestiacp is vulnerable to Reflected XSS in the Hostname field within Basic Options of the function “Configure Server” in Hestia Control Panel
(1) Access https://demo.hestiacp.com:8083/edit/server/
(2) Click “Configure”
(3) Click Basic Options
(4) Enter below as payload in the hostname field and click save
"><img src>
An attacker control alert box should prompt before an error box prompt from server.
This vulnerability is capable for letting attacker potentially steal a user’s cookie and gain unauthorized access to that user’s account through the stolen cookie.