Vulnerabilities > CVE-2020-10966
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
HIGH Availability impact
NONE Summary
In the Password Reset Module in VESTA Control Panel through 0.9.8-25 and Hestia Control Panel before 1.1.1, Host header manipulation leads to account takeover because the victim receives a reset URL containing an attacker-controlled server name.
Vulnerable Configurations
References
- https://github.com/hestiacp/hestiacp/issues/748
- https://github.com/hestiacp/hestiacp/releases/tag/1.1.1
- https://github.com/serghey-rodin/vesta/commit/c3c4de43d6701560f604ca7996f717b08e3d7d1d
- https://github.com/hestiacp/hestiacp/issues/748
- https://github.com/serghey-rodin/vesta/commit/c3c4de43d6701560f604ca7996f717b08e3d7d1d
- https://github.com/hestiacp/hestiacp/releases/tag/1.1.1