CVE-2021-47873
📋 TL;DR
This stored cross-site scripting vulnerability in VestaCP allows attackers to inject malicious scripts into the IP interface configuration. When administrators view the affected interface, the script executes in their browser session, potentially compromising the control panel. All VestaCP installations prior to version 0.9.8-25 are affected.
💻 Affected Systems
- Vesta Control Panel
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Administrator account takeover leading to full server compromise, data theft, and lateral movement within the network.
Likely Case
Session hijacking of administrator accounts, unauthorized configuration changes, and installation of backdoors.
If Mitigated
Limited impact if administrators use separate accounts for VestaCP and system administration with minimal privileges.
🎯 Exploit Status
Exploitation requires authentication but can be combined with other vulnerabilities or social engineering. Public exploit code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.9.8-25 and later
Vendor Advisory: https://vestacp.com
Restart Required: No
Instructions:
1. Backup current configuration. 2. Run: v-update-sys-vesta-all. 3. Verify version with: v-list-sys-vesta-all.
🔧 Temporary Workarounds
Input Validation Filter
linuxAdd input validation to filter script tags from v_interface parameter
Modify /usr/local/vesta/web/add/ip/index.php to sanitize POST input
🧯 If You Can't Patch
- Restrict VestaCP access to trusted IP addresses only using firewall rules
- Implement Content Security Policy headers to block inline script execution
🔍 How to Verify
Check if Vulnerable:
Check if version is below 0.9.8-25: v-list-sys-vesta-all | grep 'Vesta'Check Version:
v-list-sys-vesta-all | grep 'Vesta'Verify Fix Applied:
Confirm version is 0.9.8-25 or higher and test XSS payload injection📡 Detection & Monitoring
Log Indicators:
- POST requests to /add/ip/ with script tags in parameters
- Unusual administrator session activity
Network Indicators:
- HTTP requests containing <script> tags to VestaCP endpoints
SIEM Query:
source="vestacp" AND (url="/add/ip/" AND method="POST" AND (param="v_interface" CONTAINS "<script>"))