In the Password Reset Module in VESTA Control Panel up to and including 0.9.8-25 and Hestia Control Panel prior to 1.1.1, Host header manipulation leads to account takeover because the victim receives a reset URL containing an attacker-controlled server name.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
hestiacp control panel |
||
vestacp control panel |