Skip to main content

Control Panel CVE-2019-12791

HIGH
Path Traversal (CWE-22)
2019-08-15 cve@mitre.org
8.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Aug 15, 2019 - 21:15 nvd
HIGH 8.8

DescriptionNVD

A directory traversal vulnerability in the v-list-user script in Vesta Control Panel 0.9.8-24 allows remote attackers to escalate from regular registered users to root via the password reset form.

AnalysisAI

A directory traversal vulnerability in the v-list-user script in Vesta Control Panel 0.9.8-24 allows remote attackers to escalate from regular registered users to root via the password reset form. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. A directory traversal vulnerability in the v-list-user script in Vesta Control Panel 0.9.8-24 allows remote attackers to escalate from regular registered users to root via the password reset form. Affected products include: Vestacp Control Panel.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.

CVE-2021-3797 CRITICAL POC
9.8 Sep 15

hestiacp is vulnerable to Use of Wrong Operator in String Comparison. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2022-2636 HIGH POC
8.8 Aug 05

Improper Control of Generation of Code ('Code Injection') in GitHub repository hestiacp/hestiacp prior to 1.6.6. Rated h

CVE-2022-2550 HIGH POC
8.8 Jul 27

OS Command Injection in GitHub repository hestiacp/hestiacp prior to 1.6.5. Rated high severity (CVSS 8.8), this vulnera

CVE-2022-1509 HIGH POC
8.8 Apr 28

Command Injection Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.12. Rated high severity (CVSS 8.8),

CVE-2019-12792 HIGH POC
8.8 Aug 15

A command injection vulnerability in UploadHandler.php in Vesta Control Panel 0.9.8-24 allows remote attackers to escala

CVE-2023-5839 HIGH POC
7.8 Oct 29

Privilege Chaining in GitHub repository hestiacp/hestiacp prior to 1.8.9. Rated high severity (CVSS 7.8), this vulnerabi

CVE-2021-30463 HIGH POC
7.8 Apr 08

VestaCP through 0.9.8-24 allows attackers to gain privileges by creating symlinks to files for which they lack permissio

CVE-2022-2626 HIGH POC
7.2 Aug 05

Incorrect Privilege Assignment in GitHub repository hestiacp/hestiacp prior to 1.6.6. Rated high severity (CVSS 7.2), th

CVE-2020-10966 MEDIUM POC
6.5 Mar 25

In the Password Reset Module in VESTA Control Panel through 0.9.8-25 and Hestia Control Panel before 1.1.1, Host header

CVE-2023-3479 MEDIUM POC
6.1 Jun 30

Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.7.8. Rated medium severity (CVS

CVE-2022-0986 MEDIUM POC
6.1 Mar 16

Reflected Cross-site Scripting (XSS) Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.11. Rated medium

CVE-2022-0752 MEDIUM POC
6.1 Mar 04

Cross-site Scripting (XSS) - Generic in GitHub repository hestiacp/hestiacp prior to 1.5.9. Rated medium severity (CVSS

Share

CVE-2019-12791 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy