CVE-2021-30070

high

Description

An issue was discovered in HestiaCP before v1.3.5. Attackers are able to arbitrarily install packages due to values taken from the pgk [] parameter in the update request being transmitted to the operating system's package manager.

References

https://github.com/hestiacp/hestiacp/commit/9a1fccd37f2842fdf96ffb48895c4bfa9788c469

https://github.com/hestiacp/hestiacp/commit/27556a9a43aeaf308b33be224c2e70f2011574e6

Details

Source: Mitre, NVD

Published: 2022-08-18

Updated: 2022-08-19

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N