Unauthenticated RCE and IP Spoofing in HestiaCP
Source: Mercuryiss.Au
Published:
<p>Two vulnerabilities in HestiaCP, when combined, allow an unauthenticated attacker to obtain a root shell on any instance with the web terminal enabled, without leaving traces in any log files. The RCE requires two HTTP requests and the IP spoofing allows the attacker's real address to never appea