Reflected Cross-site Scripting (XSS) Vulnerability in hestiacp/hestiacp
翻译中…平台
php
组件
hestiacp
修复版本
1.5.11
CVE-2022-0986 describes a reflected Cross-Site Scripting (XSS) vulnerability discovered in the HestiaCP control panel. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or defacement. The vulnerability affects versions of HestiaCP prior to 1.5.11, and a patch is available.
影响与攻击场景翻译中…
An attacker could exploit this XSS vulnerability by crafting a malicious URL containing JavaScript code. When a user clicks on this URL, the injected script executes in their browser within the context of the HestiaCP control panel. This could allow the attacker to steal session cookies, redirect the user to a phishing site, or modify the content of the page. The impact is primarily limited to the user's session and the specific page where the script is injected, but could be amplified if the targeted user has elevated privileges within the control panel.
利用背景翻译中…
CVE-2022-0986 was publicly disclosed on March 16, 2022. No known active exploitation campaigns have been reported. There are no publicly available proof-of-concept exploits at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog.
哪些人处于风险中翻译中…
Organizations using HestiaCP control panel versions prior to 1.5.11 are at risk. This includes web hosting providers using HestiaCP to manage client accounts, and businesses relying on HestiaCP for their web server administration.
检测步骤翻译中…
• php / web:
curl -I 'https://your-hestiacp-domain.com/?param=<script>alert(1)</script>' | grep Content-Type• generic web: Check HestiaCP access logs for unusual URL parameters containing script tags or JavaScript code. • generic web: Use a WAF to monitor for XSS attack patterns targeting HestiaCP.
攻击时间线
- Disclosure
disclosure
威胁情报
漏洞利用状态
EPSS
0.33% (56% 百分位)
CVSS 向量
这些指标意味着什么?
- Attack Vector
- 网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
- Attack Complexity
- 低 — 无需特殊条件,可以稳定地利用漏洞。
- Privileges Required
- 高 — 需要管理员或特权账户。
- User Interaction
- 需要 — 受害者必须打开文件、点击链接或访问特制页面。
- Scope
- 未改变 — 影响仅限于脆弱组件本身。
- Confidentiality
- 低 — 可访问部分数据。
- Integrity
- 无 — 无完整性影响。
- Availability
- 无 — 无可用性影响。
受影响的软件
弱点分类 (CWE)
时间线
- 已保留
- 发布日期
- 修改日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The primary mitigation for CVE-2022-0986 is to upgrade HestiaCP to version 1.5.11 or later. This version includes a fix for the reflected XSS vulnerability. If upgrading immediately is not possible, consider implementing input validation and output encoding on user-supplied data within the HestiaCP application. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of protection. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload via a URL parameter and verifying that it is properly sanitized.
修复方法翻译中…
Actualice HestiaCP a la versión 1.5.11 o superior. Esta versión contiene la corrección para la vulnerabilidad XSS reflejada. La actualización se puede realizar a través del panel de control de HestiaCP o mediante la línea de comandos.
CVE 安全通讯
漏洞分析和关键警报直接发送到您的邮箱。
常见问题翻译中…
What is CVE-2022-0986 — XSS in HestiaCP?
CVE-2022-0986 is a reflected Cross-Site Scripting (XSS) vulnerability affecting HestiaCP versions prior to 1.5.11, allowing attackers to inject malicious scripts.
Am I affected by CVE-2022-0986 in HestiaCP?
You are affected if you are using HestiaCP version 1.5.11 or earlier. Upgrade to 1.5.11 to resolve the vulnerability.
How do I fix CVE-2022-0986 in HestiaCP?
Upgrade HestiaCP to version 1.5.11 or later. Consider input validation and output encoding as additional security measures.
Is CVE-2022-0986 being actively exploited?
No active exploitation campaigns have been reported at this time, but vigilance is still recommended.
Where can I find the official HestiaCP advisory for CVE-2022-0986?
Refer to the official HestiaCP security advisory for details: https://docs.hestiacp.com/security/security-advisories/