プラットフォーム
php
コンポーネント
hestiacp
修正版
1.5.11
CVE-2022-0986 describes a reflected Cross-Site Scripting (XSS) vulnerability discovered in the HestiaCP control panel. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or defacement. The vulnerability affects versions of HestiaCP prior to 1.5.11, and a patch is available.
An attacker could exploit this XSS vulnerability by crafting a malicious URL containing JavaScript code. When a user clicks on this URL, the injected script executes in their browser within the context of the HestiaCP control panel. This could allow the attacker to steal session cookies, redirect the user to a phishing site, or modify the content of the page. The impact is primarily limited to the user's session and the specific page where the script is injected, but could be amplified if the targeted user has elevated privileges within the control panel.
CVE-2022-0986 was publicly disclosed on March 16, 2022. No known active exploitation campaigns have been reported. There are no publicly available proof-of-concept exploits at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations using HestiaCP control panel versions prior to 1.5.11 are at risk. This includes web hosting providers using HestiaCP to manage client accounts, and businesses relying on HestiaCP for their web server administration.
• php / web:
curl -I 'https://your-hestiacp-domain.com/?param=<script>alert(1)</script>' | grep Content-Type• generic web: Check HestiaCP access logs for unusual URL parameters containing script tags or JavaScript code. • generic web: Use a WAF to monitor for XSS attack patterns targeting HestiaCP.
disclosure
エクスプロイト状況
EPSS
0.33% (56% パーセンタイル)
CVSS ベクトル
The primary mitigation for CVE-2022-0986 is to upgrade HestiaCP to version 1.5.11 or later. This version includes a fix for the reflected XSS vulnerability. If upgrading immediately is not possible, consider implementing input validation and output encoding on user-supplied data within the HestiaCP application. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of protection. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload via a URL parameter and verifying that it is properly sanitized.
Actualice HestiaCP a la versión 1.5.11 o superior. Esta versión contiene la corrección para la vulnerabilidad XSS reflejada. La actualización se puede realizar a través del panel de control de HestiaCP o mediante la línea de comandos.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2022-0986 is a reflected Cross-Site Scripting (XSS) vulnerability affecting HestiaCP versions prior to 1.5.11, allowing attackers to inject malicious scripts.
You are affected if you are using HestiaCP version 1.5.11 or earlier. Upgrade to 1.5.11 to resolve the vulnerability.
Upgrade HestiaCP to version 1.5.11 or later. Consider input validation and output encoding as additional security measures.
No active exploitation campaigns have been reported at this time, but vigilance is still recommended.
Refer to the official HestiaCP security advisory for details: https://docs.hestiacp.com/security/security-advisories/