Platform
php
Component
hestiacp
Fixed in
1.5.9
CVE-2022-0752 describes a Cross-Site Scripting (XSS) vulnerability discovered in the HestiaCP control panel. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or data theft. The vulnerability affects versions of HestiaCP prior to 1.5.9, and a patch has been released to address the issue.
Successful exploitation of CVE-2022-0752 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can be leveraged to steal sensitive information, such as session cookies, which would grant the attacker unauthorized access to the victim's account. Furthermore, the attacker could potentially deface the website, redirect users to malicious sites, or perform other actions on behalf of the victim. The impact is amplified if the HestiaCP instance manages sensitive user data or provides access to critical infrastructure.
CVE-2022-0752 was publicly disclosed on March 4, 2022. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (POC) code has been released. The vulnerability is not listed on the CISA KEV catalog. The CVSS score of 3.5 (LOW) suggests a relatively low probability of exploitation, but proactive patching is still recommended.
Exploit Status
EPSS
0.31% (54% percentile)
CVSS Vector
The primary mitigation for CVE-2022-0752 is to upgrade HestiaCP to version 1.5.9 or later, which contains the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing input validation and output encoding on all user-supplied data to prevent script injection. While not a complete solution, a Web Application Firewall (WAF) configured to block XSS payloads can provide an additional layer of defense. Regularly review HestiaCP configurations for any potential misconfigurations that could exacerbate the risk.
Actualice HestiaCP a la versión 1.5.9 o superior. Esta versión contiene la corrección para la vulnerabilidad XSS.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-0752 is a vulnerability in HestiaCP versions prior to 1.5.9 that allows attackers to inject malicious scripts into web pages, potentially stealing user data or hijacking sessions.
You are affected if you are using HestiaCP version 1.5.9 or earlier. Upgrade to version 1.5.9 or later to mitigate the risk.
Upgrade HestiaCP to version 1.5.9 or later. Consider implementing input validation and output encoding as an additional security measure.
There is currently no indication of active exploitation in the wild, but proactive patching is still recommended.
Refer to the official HestiaCP security advisory for details: https://docs.hestiacp.com/security/security-advisories/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.