Plattform
php
Komponente
hestiacp
Behoben in
1.5.9
CVE-2022-0752 describes a Cross-Site Scripting (XSS) vulnerability discovered in the HestiaCP control panel. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or data theft. The vulnerability affects versions of HestiaCP prior to 1.5.9, and a patch has been released to address the issue.
Successful exploitation of CVE-2022-0752 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can be leveraged to steal sensitive information, such as session cookies, which would grant the attacker unauthorized access to the victim's account. Furthermore, the attacker could potentially deface the website, redirect users to malicious sites, or perform other actions on behalf of the victim. The impact is amplified if the HestiaCP instance manages sensitive user data or provides access to critical infrastructure.
CVE-2022-0752 was publicly disclosed on March 4, 2022. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (POC) code has been released. The vulnerability is not listed on the CISA KEV catalog. The CVSS score of 3.5 (LOW) suggests a relatively low probability of exploitation, but proactive patching is still recommended.
Organizations and individuals using HestiaCP control panel versions prior to 1.5.9 are at risk. This includes web hosting providers using HestiaCP to manage client accounts, and developers who rely on HestiaCP for server management tasks. Shared hosting environments are particularly vulnerable, as a compromise of one account could potentially impact other users on the same server.
• php / server:
grep -r "<script" /var/www/hestiacp/• generic web:
curl -I http://your-hestiacp-domain.com | grep Content-Security-Policydisclosure
Exploit-Status
EPSS
0.31% (54% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2022-0752 is to upgrade HestiaCP to version 1.5.9 or later, which contains the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing input validation and output encoding on all user-supplied data to prevent script injection. While not a complete solution, a Web Application Firewall (WAF) configured to block XSS payloads can provide an additional layer of defense. Regularly review HestiaCP configurations for any potential misconfigurations that could exacerbate the risk.
Actualice HestiaCP a la versión 1.5.9 o superior. Esta versión contiene la corrección para la vulnerabilidad XSS.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2022-0752 is a vulnerability in HestiaCP versions prior to 1.5.9 that allows attackers to inject malicious scripts into web pages, potentially stealing user data or hijacking sessions.
You are affected if you are using HestiaCP version 1.5.9 or earlier. Upgrade to version 1.5.9 or later to mitigate the risk.
Upgrade HestiaCP to version 1.5.9 or later. Consider implementing input validation and output encoding as an additional security measure.
There is currently no indication of active exploitation in the wild, but proactive patching is still recommended.
Refer to the official HestiaCP security advisory for details: https://docs.hestiacp.com/security/security-advisories/
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.