Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrScriptidiot57635C78-303F-412F-B75A-623DF9FA9EDD
HistoryMar 09, 2022 - 2:33 p.m.

Reflected Cross-site Scripting (XSS) Vulnerability

2022-03-0914:33:55
scriptidiot
www.huntr.dev
16
vulnerability
hestia control panel
configure server
hostname field
cross-site scripting
impact
cookie
unauthorized access

EPSS

0.001

Percentile

30.0%

JSON

Description

hestiacp is vulnerable to Reflected XSS in the Hostname field within Basic Options of the function “Configure Server” in Hestia Control Panel

Proof of Concept

(1) Access https://demo.hestiacp.com:8083/edit/server/

(2) Click “Configure”

(3) Click Basic Options

(4) Enter below as payload in the hostname field and click save

"><img src>

An attacker control alert box should prompt before an error box prompt from server.

image

Impact

This vulnerability is capable for letting attacker potentially steal a user’s cookie and gain unauthorized access to that user’s account through the stolen cookie.

Related

osv 1
prion 1
cnvd 1
nvd 1
cvelist 1
cve 1
osv
osv
CVE-2022-0986
2022-03-16 13:15:08
prion
prion
Cross site scripting
2022-03-16 13:15:00
cnvd
cnvd
Hestiacp Cross-Site Scripting Vulnerability (CNVD-2022-21544)
2022-03-17 00:00:00
nvd
nvd
CVE-2022-0986
2022-03-16 13:15:08
cvelist
cvelist
CVE-2022-0986 Reflected Cross-site Scripting (XSS) Vulnerability in hestiacp/hestiacp
2022-03-16 12:45:12
cve
cve
CVE-2022-0986
2022-03-16 13:15:08

EPSS

0.001

Percentile

30.0%

JSON
Related for 57635C78-303F-412F-B75A-623DF9FA9EDD
osv1prion1cnvd1nvd1cvelist1cve1