CVE-2020-10966

Vulnerability

The Password Reset Module in VESTA Control Panel through version 0.9.8-25 and Hestia Control Panel before version 1.1.1 directly uses the $_SERVER['HTTP_HOST'] value from the Host header without validation when constructing password reset email URLs [2]. The vulnerable code at line 33 of the reset script passes this unvalidated value into the email template via the PASSWORD_RESET_REQUEST translation string, embedding the attacker-controlled hostname into the reset link [2].

Exploitation

An attacker can send a password reset request to any valid account (e.g., the admin user) while spoofing the Host header in the HTTP request to point to an attacker-controlled domain [2]. The victim receives a legitimate-looking password reset email containing a URL with the attacker's domain name. If the victim clicks the link, the reset token (a random key) is sent to the attacker's server, enabling account takeover [2]. No additional authentication or user interaction beyond clicking the link is required from the victim.

Impact

Successful exploitation allows the attacker to obtain a valid password reset token and reset the victim's password, leading to full account takeover [2]. An attacker who compromises an administrative account gains complete control over the VESTA/Hestia Control Panel, including all hosted websites, databases, and mail accounts.

Mitigation

Hestia Control Panel fixed this vulnerability in version 1.1.1, released March 25, 2020 [1]. The fix replaces $_SERVER['HTTP_HOST'] with a trusted server-side variable ($hostname) in the password reset email generation code [3]. VESTA Control Panel through 0.9.8-25 remains vulnerable and has no official patch; users should upgrade to HestiaCP 1.1.1 or later, or implement a reverse proxy validation (e.g., Nginx) to sanitize the Host header [1][2].