CVE-2020-10966 – VESTA/Hestia Host Header Manipulation Leading to Account Takeover

Mar 25, 2020

Description

In the Password Reset Module in VESTA Control Panel through 0.9.8-25 and Hestia Control Panel before 1.1.1, Host header manipulation leads to account takeover because the victim receives a reset URL containing an attacker-controlled server name.

Vulnerability Information

Product / Framework: Vestacp
Vendor Domain: github.com
Vulnerability Type: Authentication
CVE Details: View Full CVE Details →

CVE-2020-10966 – VESTA/Hestia Host Header Manipulation Leading to Account Takeover

Description

Vulnerability Information

You may also enjoy…

The Story of a Perfect Exploit Chain: Six Bugs That Looked Harmless Until They Became Pre-Auth RCE in a Security Appliance

Inside PostHog: How SSRF, a ClickHouse SQL Escaping 0day, and Default PostgreSQL Credentials Formed an RCE Chain (ZDI-25-099, ZDI-25-097, ZDI-25-096)

The Chessboard of Security: Insights on Product Development and Vulnerabilities from a Hacker Perspective

Digital Cosmos: A Journey Through the Galaxy of Vulnerabilities

CVE-2021-3825 | LiderAhenk 0day – All your PARDUS Clients Belongs To Me