Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for VestaCP by VestaCP

    CVE-2020-36948 (GCVE-0-2020-36948)

    Vulnerability from nvd – Published: 2026-01-27 15:23 – Updated: 2026-03-05 01:27
    VLAI
    Title
    VestaCP 0.9.8-26 - 'LoginAs' Insufficient Session Validation
    Summary
    VestaCP 0.9.8-26 contains a session token vulnerability in the LoginAs module that allows remote attackers to manipulate authentication tokens. Attackers can exploit insufficient token validation to access user accounts and perform unauthorized login requests without proper administrative permissions.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    VestaCP VestaCP Affected: 0.9.8-26
    Create a notification for this product.
    Date Public
    2020-11-26 00:00
    Credits
    Vulnerability-Lab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-36948",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-27T21:07:57.516937Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-27T21:36:26.071Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M."
              },
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://www.exploit-db.com/exploits/49219"
              },
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://www.vulnerability-lab.com/get_content.php?id=2240"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "VestaCP",
              "vendor": "VestaCP",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.9.8-26"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:vestacp:vesta_control_panel:0.9.8-26:*:*:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Vulnerability-Lab"
            }
          ],
          "datePublic": "2020-11-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "VestaCP 0.9.8-26 contains a session token vulnerability in the LoginAs module that allows remote attackers to manipulate authentication tokens. Attackers can exploit insufficient token validation to access user accounts and perform unauthorized login requests without proper administrative permissions."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-05T01:27:04.698Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "ExploitDB-49219",
              "tags": [
                "exploit"
              ],
              "url": "https://www.exploit-db.com/exploits/49219"
            },
            {
              "name": "VestaCP Official Homepage",
              "tags": [
                "product"
              ],
              "url": "https://vestacp.com/"
            },
            {
              "name": "Vulnerability Lab Advisory",
              "tags": [
                "technical-description",
                "exploit"
              ],
              "url": "https://www.vulnerability-lab.com/get_content.php?id=2240"
            },
            {
              "name": "Benjamin Kunz Mejri Profile",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M."
            },
            {
              "name": "VulnCheck Advisory: VestaCP 0.9.8-26 - \u0027LoginAs\u0027 Insufficient Session Validation",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/vestacp-loginas-insufficient-session-validation"
            }
          ],
          "title": "VestaCP 0.9.8-26 - \u0027LoginAs\u0027 Insufficient Session Validation",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2020-36948",
        "datePublished": "2026-01-27T15:23:50.046Z",
        "dateReserved": "2026-01-25T13:50:01.143Z",
        "dateUpdated": "2026-03-05T01:27:04.698Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-47873 (GCVE-0-2021-47873)

    Vulnerability from nvd – Published: 2026-01-21 17:27 – Updated: 2026-03-05 01:29
    VLAI
    Title
    VestaCP < 0.9.8-25 - Stored Cross-Site Scripting
    Summary
    VestaCP versions prior to 0.9.8-25 contain a cross-site scripting vulnerability in the IP interface configuration that allows attackers to inject malicious scripts. Attackers can exploit the 'v_interface' parameter by sending a crafted POST request to the add/ip/ endpoint with a stored XSS payload.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    VestaCP VestaCP Affected: 0.9.8 , ≤ 0.9.8-25 (semver)
    Create a notification for this product.
    Date Public
    2021-03-07 00:00
    Credits
    Numan Türle
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-47873",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-22T16:45:38.236142Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-22T16:52:17.530Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "VestaCP",
              "vendor": "VestaCP",
              "versions": [
                {
                  "lessThanOrEqual": "0.9.8-25",
                  "status": "affected",
                  "version": "0.9.8",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:vestacp:vesta_control_panel:*:*:*:*:*:*:*:*",
                      "versionEndIncluding": "0.9.8-25",
                      "versionStartIncluding": "0.9.8",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Numan T\u00fcrle"
            }
          ],
          "datePublic": "2021-03-07T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "VestaCP versions prior to 0.9.8-25 contain a cross-site scripting vulnerability in the IP interface configuration that allows attackers to inject malicious scripts. Attackers can exploit the \u0027v_interface\u0027 parameter by sending a crafted POST request to the add/ip/ endpoint with a stored XSS payload."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-05T01:29:04.125Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "ExploitDB-49662",
              "tags": [
                "exploit"
              ],
              "url": "https://www.exploit-db.com/exploits/49662"
            },
            {
              "name": "VestaCP Official Vendor Homepage",
              "tags": [
                "product"
              ],
              "url": "https://vestacp.com"
            },
            {
              "name": "VestaCP Alternative Download Site",
              "tags": [
                "product"
              ],
              "url": "https://myvestacp.com"
            },
            {
              "name": "VulnCheck Advisory: VestaCP \u003c 0.9.8-25 - Stored Cross-Site Scripting",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/vestacp-stored-cross-site-scripting"
            }
          ],
          "title": "VestaCP \u003c 0.9.8-25 - Stored Cross-Site Scripting",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2021-47873",
        "datePublished": "2026-01-21T17:27:48.296Z",
        "dateReserved": "2026-01-18T12:35:05.171Z",
        "dateUpdated": "2026-03-05T01:29:04.125Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2020-36948 (GCVE-0-2020-36948)

    Vulnerability from cvelistv5 – Published: 2026-01-27 15:23 – Updated: 2026-03-05 01:27
    VLAI
    Title
    VestaCP 0.9.8-26 - 'LoginAs' Insufficient Session Validation
    Summary
    VestaCP 0.9.8-26 contains a session token vulnerability in the LoginAs module that allows remote attackers to manipulate authentication tokens. Attackers can exploit insufficient token validation to access user accounts and perform unauthorized login requests without proper administrative permissions.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    VestaCP VestaCP Affected: 0.9.8-26
    Create a notification for this product.
    Date Public
    2020-11-26 00:00
    Credits
    Vulnerability-Lab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-36948",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-27T21:07:57.516937Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-27T21:36:26.071Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M."
              },
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://www.exploit-db.com/exploits/49219"
              },
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://www.vulnerability-lab.com/get_content.php?id=2240"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "VestaCP",
              "vendor": "VestaCP",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.9.8-26"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:vestacp:vesta_control_panel:0.9.8-26:*:*:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Vulnerability-Lab"
            }
          ],
          "datePublic": "2020-11-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "VestaCP 0.9.8-26 contains a session token vulnerability in the LoginAs module that allows remote attackers to manipulate authentication tokens. Attackers can exploit insufficient token validation to access user accounts and perform unauthorized login requests without proper administrative permissions."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-05T01:27:04.698Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "ExploitDB-49219",
              "tags": [
                "exploit"
              ],
              "url": "https://www.exploit-db.com/exploits/49219"
            },
            {
              "name": "VestaCP Official Homepage",
              "tags": [
                "product"
              ],
              "url": "https://vestacp.com/"
            },
            {
              "name": "Vulnerability Lab Advisory",
              "tags": [
                "technical-description",
                "exploit"
              ],
              "url": "https://www.vulnerability-lab.com/get_content.php?id=2240"
            },
            {
              "name": "Benjamin Kunz Mejri Profile",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M."
            },
            {
              "name": "VulnCheck Advisory: VestaCP 0.9.8-26 - \u0027LoginAs\u0027 Insufficient Session Validation",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/vestacp-loginas-insufficient-session-validation"
            }
          ],
          "title": "VestaCP 0.9.8-26 - \u0027LoginAs\u0027 Insufficient Session Validation",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2020-36948",
        "datePublished": "2026-01-27T15:23:50.046Z",
        "dateReserved": "2026-01-25T13:50:01.143Z",
        "dateUpdated": "2026-03-05T01:27:04.698Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-47873 (GCVE-0-2021-47873)

    Vulnerability from cvelistv5 – Published: 2026-01-21 17:27 – Updated: 2026-03-05 01:29
    VLAI
    Title
    VestaCP < 0.9.8-25 - Stored Cross-Site Scripting
    Summary
    VestaCP versions prior to 0.9.8-25 contain a cross-site scripting vulnerability in the IP interface configuration that allows attackers to inject malicious scripts. Attackers can exploit the 'v_interface' parameter by sending a crafted POST request to the add/ip/ endpoint with a stored XSS payload.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    VestaCP VestaCP Affected: 0.9.8 , ≤ 0.9.8-25 (semver)
    Create a notification for this product.
    Date Public
    2021-03-07 00:00
    Credits
    Numan Türle
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-47873",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-22T16:45:38.236142Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-22T16:52:17.530Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "VestaCP",
              "vendor": "VestaCP",
              "versions": [
                {
                  "lessThanOrEqual": "0.9.8-25",
                  "status": "affected",
                  "version": "0.9.8",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:vestacp:vesta_control_panel:*:*:*:*:*:*:*:*",
                      "versionEndIncluding": "0.9.8-25",
                      "versionStartIncluding": "0.9.8",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Numan T\u00fcrle"
            }
          ],
          "datePublic": "2021-03-07T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "VestaCP versions prior to 0.9.8-25 contain a cross-site scripting vulnerability in the IP interface configuration that allows attackers to inject malicious scripts. Attackers can exploit the \u0027v_interface\u0027 parameter by sending a crafted POST request to the add/ip/ endpoint with a stored XSS payload."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-05T01:29:04.125Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "ExploitDB-49662",
              "tags": [
                "exploit"
              ],
              "url": "https://www.exploit-db.com/exploits/49662"
            },
            {
              "name": "VestaCP Official Vendor Homepage",
              "tags": [
                "product"
              ],
              "url": "https://vestacp.com"
            },
            {
              "name": "VestaCP Alternative Download Site",
              "tags": [
                "product"
              ],
              "url": "https://myvestacp.com"
            },
            {
              "name": "VulnCheck Advisory: VestaCP \u003c 0.9.8-25 - Stored Cross-Site Scripting",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/vestacp-stored-cross-site-scripting"
            }
          ],
          "title": "VestaCP \u003c 0.9.8-25 - Stored Cross-Site Scripting",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2021-47873",
        "datePublished": "2026-01-21T17:27:48.296Z",
        "dateReserved": "2026-01-18T12:35:05.171Z",
        "dateUpdated": "2026-03-05T01:29:04.125Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }