VULNERABILITY v.0.9.8-26 : when new update will be available?

sauvegardezvous99 · Post by **sauvegardezvous99** » Thu Dec 10, 2020 3:34 am

hello,

2 serious new disclosures have been published here :

https://www.exploit-db.com/exploits/49220
https://www.exploit-db.com/exploits/49219

Does the team work on it ? do you provide a patch soon ?

best,

sauvegardezvous99 · Post by **sauvegardezvous99** » Thu Dec 10, 2020 3:43 am

ok the project is dead now : https://github.com/serghey-rodin/vesta/issues/2006

darkleech · Post by **darkleech** » Fri Dec 11, 2020 1:29 pm

Vesta is dead

eris · Post by **eris** » Sat Dec 12, 2020 12:20 am

https://www.vulnerability-lab.com/get_c ... hp?id=2239

A 3rd one

All are mainly XXS issues. So no real risks how ever need to be fixed

Post by **dpeca** » Sat Dec 12, 2020 1:44 pm

Only XSS issue with /list/rrd/ is real issue (and as all other XSS isues, it's not so dangerous).
First two issues (downloading someone other's backup and exploiting loginas function) are not real issues, I mean, you can exploit it only if you are already logged in as admin... I don't need to explain why it's useless.

However, myVestaCP already fixed all three issues, and HestiaCP will release fixes in next few days (they already patched code too, just it will not go to public repo instantly, and btw they don't have XSS issue with RRD period).
No need to hurry, since those issues are really trivial.

Vesta Control Panel - Forum