CVE-2021-47873
Stored XSS in VestaCP IP Interface Configuration Prior
Publication date: 2026-01-21
Last updated on: 2026-01-21
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vestacp | vestacp | to 0.9.8-25 (exc) |
| myvesta | myvesta | 0.9.9-0-15 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47873 is a stored cross-site scripting (XSS) vulnerability in VestaCP versions prior to 0.9.8-25. It occurs in the IP interface configuration, specifically through the 'v_interface' parameter. An attacker can send a crafted POST request with a malicious script payload to the add/ip/ endpoint, which is not properly sanitized. This causes the malicious script to be stored and later executed in the context of the web application, potentially allowing attackers to run arbitrary JavaScript in users' browsers. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary JavaScript in the context of the affected web application. This can lead to session hijacking, defacement, or other malicious actions such as stealing sensitive information or performing actions on behalf of the user without their consent. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring or capturing POST requests sent to the /add/ip/ endpoint of the VestaCP web interface and inspecting the 'v_interface' parameter for suspicious or malicious script payloads such as <script> tags. A practical approach is to use tools like curl or wget to send crafted POST requests with test payloads to see if the input is improperly sanitized and stored. For example, sending a POST request with a payload containing <script>alert(1)</script> in the 'v_interface' parameter and then checking if the script executes when viewing the IP interface configuration. Network monitoring tools or web application firewalls (WAF) can also be configured to detect such malicious POST requests. Example command using curl to test the vulnerability: curl -X POST -d "v_interface=<script>alert(1)</script>&v_ip=1.2.3.4&v_netmask=255.255.255.0&v_shared=no&v_owner=admin" https://your-vestacp-domain/add/ip/ This command attempts to inject a script payload to check if the system is vulnerable. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading VestaCP to version 0.9.8-25 or later, where this stored XSS vulnerability in the 'v_interface' parameter has been addressed. If upgrading is not immediately possible, restrict access to the VestaCP control panel to trusted IP addresses and users to reduce exposure. Additionally, implement web application firewall (WAF) rules to block or sanitize POST requests containing suspicious script tags or payloads targeting the /add/ip/ endpoint. Regularly audit and sanitize existing IP interface configurations to remove any malicious scripts that may have been stored. Monitoring and alerting on unusual POST requests to the vulnerable endpoint can also help in early detection and response. [1, 2]