Reflected Cross-site Scripting (XSS) Vulnerability in hestiacp/hestiacp
Mar 9th 2022
hestiacp is vulnerable to Reflected XSS in the Hostname field within Basic Options of the function "Configure Server" in Hestia Control Panel
Proof of Concept
(1) Access https://demo.hestiacp.com:8083/edit/server/
(2) Click "Configure"
(3) Click Basic Options
(4) Enter below as payload in the hostname field and click save
"><img src=x onerror=alert(document.domain)>
An attacker control alert box should prompt before an error box prompt from server.
This vulnerability is capable for letting attacker potentially steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.
Modified the report for another function that is vulnerable to Reflected XSS, and the original reported one is now fixed.
@maintainer @admin May I have CVE assigned for this case?
The XSS vulnerability is indeed successfully executed how ever document.cookie doesn't contain any private data that contains. Session ID or "Access" Cookies.
Session cookies are always managed via our own "php-fpm" install as it always supposed to run on port 8083.
Before assigning a CVE, we do require the 👍 from the maintainer.
@admin please go a head
CVE-2022-0986 - please ping me once this is ready to be published + fixed 👍
CVE published! 🎊 It should be available in the MITRE/NVD databases shortly.