CVE-2021-46850: Command Injection
First published: Mon Oct 24 2022(Updated: )
myVesta Control Panel before 0.9.8-26-43 and Vesta Control Panel before 0.9.8-26 are vulnerable to command injection. An authenticated and remote administrative user can execute arbitrary commands via the v_sftp_license parameter when sending HTTP POST requests to the /edit/server endpoint.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Vestacp Control Panel | <0.9.8-26-43 | |
| Vestacp Vesta Control Panel | <0.9.8-26 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html
- https://github.com/myvesta/vesta/commit/7991753ab7c5c568768028fb77554db8ea149f17
- https://github.com/myvesta/vesta/releases/tag/0.9.8-26-43
- https://github.com/serghey-rodin/vesta/commit/a4e4542a6d1351c2857b169f8621dd9a13a2e896
- https://www.exploit-db.com/exploits/49674
Frequently Asked Questions
What is the vulnerability ID for this vulnerability?
The vulnerability ID for this vulnerability is CVE-2021-46850.
What is the severity of CVE-2021-46850?
The severity of CVE-2021-46850 is high with a severity value of 7.2.
Which versions of myVesta Control Panel are affected by CVE-2021-46850?
Versions of myVesta Control Panel before 0.9.8-26-43 are affected by CVE-2021-46850.
Which versions of Vesta Control Panel are affected by CVE-2021-46850?
Versions of Vesta Control Panel before 0.9.8-26 are affected by CVE-2021-46850.
How does the vulnerability in myVesta Control Panel and Vesta Control Panel manifest?
The vulnerability in myVesta Control Panel and Vesta Control Panel manifests as a command injection vulnerability.
- collector/nvd-index
- agent/weakness
- agent/references
- agent/type
- agent/event
- vendor/vestacp
- canonical/vestacp control panel
- canonical/vestacp vesta control panel