We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
VULNERABILITY v.0.9.8-26 : when new update will be available?
-
- Posts: 25
- Joined: Mon Nov 24, 2014 11:48 pm
VULNERABILITY v.0.9.8-26 : when new update will be available?
hello,
2 serious new disclosures have been published here :
https://www.exploit-db.com/exploits/49220
https://www.exploit-db.com/exploits/49219
Does the team work on it ? do you provide a patch soon ?
best,
2 serious new disclosures have been published here :
https://www.exploit-db.com/exploits/49220
https://www.exploit-db.com/exploits/49219
Does the team work on it ? do you provide a patch soon ?
best,
-
- Posts: 25
- Joined: Mon Nov 24, 2014 11:48 pm
Re: VULNERABILITY v.0.9.8-26 : when new update will be available?
ok the project is dead now : https://github.com/serghey-rodin/vesta/issues/2006
Re: VULNERABILITY v.0.9.8-26 : when new update will be available?
https://www.vulnerability-lab.com/get_c ... hp?id=2239
A 3rd one
All are mainly XXS issues. So no real risks how ever need to be fixed
A 3rd one
All are mainly XXS issues. So no real risks how ever need to be fixed
Re: VULNERABILITY v.0.9.8-26 : when new update will be available?
Only XSS issue with /list/rrd/ is real issue (and as all other XSS isues, it's not so dangerous).
First two issues (downloading someone other's backup and exploiting loginas function) are not real issues, I mean, you can exploit it only if you are already logged in as admin... I don't need to explain why it's useless.
However, myVestaCP already fixed all three issues, and HestiaCP will release fixes in next few days (they already patched code too, just it will not go to public repo instantly, and btw they don't have XSS issue with RRD period).
No need to hurry, since those issues are really trivial.
First two issues (downloading someone other's backup and exploiting loginas function) are not real issues, I mean, you can exploit it only if you are already logged in as admin... I don't need to explain why it's useless.
However, myVestaCP already fixed all three issues, and HestiaCP will release fixes in next few days (they already patched code too, just it will not go to public repo instantly, and btw they don't have XSS issue with RRD period).
No need to hurry, since those issues are really trivial.