# Vesta Control Panel

[Vesta Control Panel](https://vestacp.com/) (VestaCP) is a free and open-source web hosting control panel designed to simplify the management of domains, web servers, databases, mail, and DNS services. It provides a lightweight interface for system administrators to configure and maintain Linux-based servers, offering functionality similar to commercial hosting panels but with reduced complexity and overhead. VestaCP is often deployed in small to medium hosting environments where ease of management and minimal resource usage are prioritized.

## Authenticated RCE

VestaCP through version `0.9.8-26` is affected by a **command injection vulnerability** ([CVE-2020-10808](https://nvd.nist.gov/vuln/detail/CVE-2020-10808)) due to improper handling of user-controlled input in the backup listing endpoint under `schedule/backup`. An attacker with the ability to create or manipulate filenames on the server can exploit this weakness to inject arbitrary shell commands. A working [PoC](https://github.com/CSpanias/vesta-rce-exploit) is available:

```bash
python3 vesta-rce-exploit.py https://192.168.1.100:8083 admin password123
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://x7331.gitbook.io/boxes/tl-dr/web/applications/vesta-control-panel.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.