First published: Sun Mar 22 2020(Updated: )
Vesta Control Panel (VestaCP) through 0.9.8-26 allows Command Injection via the schedule/backup Backup Listing Endpoint. The attacker must be able to create a crafted filename on the server, as demonstrated by an FTP session that renames .bash_logout to a .bash_logout' substring followed by shell metacharacters.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Vestacp Vesta Control Panel | <=0.9.8-26 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-10808 is a command injection vulnerability in Vesta Control Panel (VestaCP) through version 0.9.8-26, which allows an attacker to execute arbitrary commands on the server.
CVE-2020-10808 has a severity rating of 8.8 out of 10, indicating it is critical.
Vesta Control Panel (VestaCP) versions up to and including 0.9.8-26 are affected by CVE-2020-10808.
An attacker can exploit CVE-2020-10808 by creating a crafted file name on the server, such as during an FTP session, which can then be used for command injection.
At the moment, there are no known fixes or patches available for CVE-2020-10808. It is recommended to update to the latest version of Vesta Control Panel when a patch becomes available.