Coder Social home page Coder Social logo

vca's People

Contributors

mend-bolt-for-github[bot] avatar v-paranoiaque avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar

Forkers

fikalefaza cloudxtreme hiddenk bhyvex streamuj laszlo09 taidos

vca's Issues

CVE-2020-11022 (Medium) detected in jquery-1.11.1.min.js

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.11.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js

Path to vulnerable library: /vca/www/libs/jquery.min.js

Dependency Hierarchy:

  • jquery-1.11.1.min.js (Vulnerable Library)

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

CVE-2016-10735 (Medium) detected in bootstrap-3.3.4.min.js

CVE-2016-10735 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.3.4.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.4/js/bootstrap.min.js

Path to vulnerable library: /vca/www/libs/bootstrap.min.js

Dependency Hierarchy:

  • bootstrap-3.3.4.min.js (Vulnerable Library)

Vulnerability Details

In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.

Publish Date: 2019-01-09

URL: CVE-2016-10735

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#20184

Release Date: 2019-01-09

Fix Resolution: 3.4.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-26119 (High) detected in vtigercrmvtigercrm-customerportal-7.1.0

CVE-2021-26119 - High Severity Vulnerability

Vulnerable Library - vtigercrmvtigercrm-customerportal-7.1.0

An enterprise-class CRM and more!

Library home page: https://sourceforge.net/projects/vtigercrm/

Vulnerable Source Files (1)

/vca/www/libs/sysplugins/smarty_internal_compile_private_special_variable.php

Vulnerability Details

Smarty before 3.1.39 allows a Sandbox Escape because $smarty.template_object can be accessed in sandbox mode.

Publish Date: 2021-02-22

URL: CVE-2021-26119

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26119

Release Date: 2021-02-22

Fix Resolution: v3.1.39

Step up your Open Source Security Game with WhiteSource here

CVE-2018-13982 (High) detected in vtigercrmvtigercrm-customerportal-7.1.0

CVE-2018-13982 - High Severity Vulnerability

Vulnerable Library - vtigercrmvtigercrm-customerportal-7.1.0

An enterprise-class CRM and more!

Library home page: https://sourceforge.net/projects/vtigercrm/

Found in HEAD commit: a55a57c63a788c0bcba470393fb375434dcf521b

Vulnerable Source Files (1)

/vca/www/libs/sysplugins/smarty_security.php

Vulnerability Details

Smarty_Security::isTrustedResourceDir() in Smarty before 3.1.33 is prone to a path traversal vulnerability due to insufficient template code sanitization. This allows attackers controlling the executed template code to bypass the trusted directory security restriction and read arbitrary files.

Publish Date: 2018-09-18

URL: CVE-2018-13982

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-13982

Release Date: 2018-09-18

Fix Resolution: 3.1.33

Step up your Open Source Security Game with WhiteSource here

CVE-2018-14040 (Medium) detected in bootstrap-3.3.4.min.js

CVE-2018-14040 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.3.4.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.4/js/bootstrap.min.js

Path to vulnerable library: /vca/www/libs/bootstrap.min.js

Dependency Hierarchy:

  • bootstrap-3.3.4.min.js (Vulnerable Library)

Found in HEAD commit: a55a57c63a788c0bcba470393fb375434dcf521b

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.

Publish Date: 2018-07-13

URL: CVE-2018-14040

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#26630

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-26120 (High) detected in vtigercrmvtigercrm-customerportal-7.1.0

CVE-2021-26120 - High Severity Vulnerability

Vulnerable Library - vtigercrmvtigercrm-customerportal-7.1.0

An enterprise-class CRM and more!

Library home page: https://sourceforge.net/projects/vtigercrm/

Vulnerable Source Files (1)

/vca/www/libs/sysplugins/smarty_internal_compile_function.php

Vulnerability Details

Smarty before 3.1.39 allows code injection via an unexpected function name after a {function name= substring.

Publish Date: 2021-02-22

URL: CVE-2021-26120

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26120

Release Date: 2021-02-22

Fix Resolution: v3.1.39

Step up your Open Source Security Game with WhiteSource here

WS-2016-0090 (Medium) detected in jquery-1.11.1.min.js

WS-2016-0090 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.11.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js

Path to vulnerable library: /vca/www/libs/jquery.min.js

Dependency Hierarchy:

  • jquery-1.11.1.min.js (Vulnerable Library)

Found in HEAD commit: a55a57c63a788c0bcba470393fb375434dcf521b

Vulnerability Details

JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.

Publish Date: 2016-11-27

URL: WS-2016-0090

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jquery/jquery@b078a62

Release Date: 2019-04-08

Fix Resolution: 2.2.0

Step up your Open Source Security Game with WhiteSource here

Unable to start Daemon

Running under Debian Wheezy I receive the following error upon startup of the daemon.

/etc/init.d/vcadaemon start

Starting vcadaemon:
Traceback (most recent call last):
File "/usr/share/vca/daemon/vcadaemon.py", line 13, in
from server import Server
File "/usr/share/vca/daemon/server.py", line 9, in
from vps import Vps
File "/usr/share/vca/daemon/vps.py", line 6, in
import dropbox
File "/usr/local/lib/python3.2/dist-packages/dropbox/init.py", line 3, in
from .dropbox import version
File "/usr/local/lib/python3.2/dist-packages/dropbox/dropbox.py", line 18, in
from .base import DropboxBase
File "/usr/local/lib/python3.2/dist-packages/dropbox/base.py", line 7, in
from . import (
File "/usr/local/lib/python3.2/dist-packages/dropbox/files.py", line 3532
(u'file',): bv.Struct(FileMetadata),
^
SyntaxError: invalid syntax

CVE-2020-11023 (Medium) detected in jquery-1.11.1.min.js

CVE-2020-11023 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.11.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js

Path to vulnerable library: /vca/www/libs/jquery.min.js

Dependency Hierarchy:

  • jquery-1.11.1.min.js (Vulnerable Library)

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Step up your Open Source Security Game with WhiteSource here

CVE-2015-9251 (Medium) detected in jquery-1.11.1.min.js

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.11.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js

Path to vulnerable library: /vca/www/libs/jquery.min.js

Dependency Hierarchy:

  • jquery-1.11.1.min.js (Vulnerable Library)

Found in HEAD commit: a55a57c63a788c0bcba470393fb375434dcf521b

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-21408 (High) detected in vtigercrmvtigercrm-customerportal-7.1.0

CVE-2021-21408 - High Severity Vulnerability

Vulnerable Library - vtigercrmvtigercrm-customerportal-7.1.0

An enterprise-class CRM and more!

Library home page: https://sourceforge.net/projects/vtigercrm/

Vulnerable Source Files (1)

/vca/www/libs/sysplugins/smarty_internal_templateparser.php

Vulnerability Details

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.43 and 4.0.3, template authors could run restricted static php methods. Users should upgrade to version 3.1.43 or 4.0.3 to receive a patch.

Publish Date: 2022-01-10

URL: CVE-2021-21408

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4h9c-v5vg-5m6m

Release Date: 2022-01-10

Fix Resolution: v3.1.43;v4.0.3

Step up your Open Source Security Game with WhiteSource here

CVE-2018-20676 (Medium) detected in bootstrap-3.3.4.min.js

CVE-2018-20676 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.3.4.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.4/js/bootstrap.min.js

Path to vulnerable library: /vca/www/libs/bootstrap.min.js

Dependency Hierarchy:

  • bootstrap-3.3.4.min.js (Vulnerable Library)

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.

Publish Date: 2019-01-09

URL: CVE-2018-20676

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0

Step up your Open Source Security Game with WhiteSource here

CVE-2018-14042 (Medium) detected in bootstrap-3.3.4.min.js

CVE-2018-14042 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.3.4.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.4/js/bootstrap.min.js

Path to vulnerable library: /vca/www/libs/bootstrap.min.js

Dependency Hierarchy:

  • bootstrap-3.3.4.min.js (Vulnerable Library)

Found in HEAD commit: a55a57c63a788c0bcba470393fb375434dcf521b

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.

Publish Date: 2018-07-13

URL: CVE-2018-14042

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#26630

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0

Step up your Open Source Security Game with WhiteSource here

CVE-2018-20677 (Medium) detected in bootstrap-3.3.4.min.js

CVE-2018-20677 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.3.4.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.4/js/bootstrap.min.js

Path to vulnerable library: /vca/www/libs/bootstrap.min.js

Dependency Hierarchy:

  • bootstrap-3.3.4.min.js (Vulnerable Library)

Found in HEAD commit: a55a57c63a788c0bcba470393fb375434dcf521b

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

Publish Date: 2019-01-09

URL: CVE-2018-20677

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677

Release Date: 2019-01-09

Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0

Step up your Open Source Security Game with WhiteSource here

Some requests

Hello

  1. it is possible add some time restriction?
    For example user paid one month, in administration I will set one month and after month user's vps will be stoped if he paid some months again (7 days before end his month, user will be notified in ssh and web administration about ending). VPS can't be started by user, after stop, user have for example 10 days for pay next month or his vps (data) will be deleted. This 10 days, user will still have FTP access to his VPS for download data.

  2. FTP
    Can you add FTP acces to web administration (It can be accessed by normal FTP client)?
    Login it will be same as to web administration. After login user will see root.
    In root will be folder named as his vps servers

  3. Privilage
    Can you add possibility to add more admins users (with custom names, and original admin can be disabled)

  4. Can be OOTFY changed to Google Authenticator?

This is only a proposal, and if you had any idea to do it better I'll be happy :)

Thank you for read and I belive in some changes :)
I love yours web administration :)

I'm sorry for my terrible english

How to generate Security key.

I have installed the VCA Daemon and the VCA Web interface in the same server, but i can not find where generate the Security Key and the port to use the panel.
Can you put this in to the Wiki?

Reinstall

Reinstall button not work
PHP Fatal error: Can't use method return value in write context in /usr/share/vca/www/templates/basic/popup_vpsreinstall.php on line 16, referer: http://xxxxxx.zz/vps/1

CVE-2021-29454 (High) detected in vtigercrmvtigercrm-customerportal-7.1.0

CVE-2021-29454 - High Severity Vulnerability

Vulnerable Library - vtigercrmvtigercrm-customerportal-7.1.0

An enterprise-class CRM and more!

Library home page: https://sourceforge.net/projects/vtigercrm/

Vulnerable Source Files (1)

/vca/www/libs/plugins/function.math.php

Vulnerability Details

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.42 and 4.0.2, template authors could run arbitrary PHP code by crafting a malicious math string. If a math string was passed through as user provided data to the math function, external users could run arbitrary PHP code by crafting a malicious math string. Users should upgrade to version 3.1.42 or 4.0.2 to receive a patch.

Publish Date: 2022-01-10

URL: CVE-2021-29454

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-29gp-2c3m-3j6m

Release Date: 2022-01-10

Fix Resolution: v3.1.42,v4.0.2

Step up your Open Source Security Game with WhiteSource here

CVE-2019-11358 (Medium) detected in jquery-1.11.1.min.js

CVE-2019-11358 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.11.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js

Path to vulnerable library: /vca/www/libs/jquery.min.js

Dependency Hierarchy:

  • jquery-1.11.1.min.js (Vulnerable Library)

Found in HEAD commit: a55a57c63a788c0bcba470393fb375434dcf521b

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Step up your Open Source Security Game with WhiteSource here

CVE-2017-1000480 (High) detected in vtigercrmvtigercrm-customerportal-7.1.0

CVE-2017-1000480 - High Severity Vulnerability

Vulnerable Library - vtigercrmvtigercrm-customerportal-7.1.0

An enterprise-class CRM and more!

Library home page: https://sourceforge.net/projects/vtigercrm/

Found in HEAD commit: a55a57c63a788c0bcba470393fb375434dcf521b

Vulnerable Source Files (1)

/vca/www/libs/sysplugins/smarty_resource_custom.php

Vulnerability Details

Smarty 3 before 3.1.32 is vulnerable to a PHP code injection when calling fetch() or display() functions on custom resources that does not sanitize template name.

Publish Date: 2018-01-03

URL: CVE-2017-1000480

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-1000480

Release Date: 2018-01-03

Fix Resolution: 3.1.32

Step up your Open Source Security Game with WhiteSource here

CVE-2019-8331 (Medium) detected in bootstrap-3.3.4.min.js

CVE-2019-8331 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.3.4.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.4/js/bootstrap.min.js

Path to vulnerable library: /vca/www/libs/bootstrap.min.js

Dependency Hierarchy:

  • bootstrap-3.3.4.min.js (Vulnerable Library)

Vulnerability Details

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Publish Date: 2019-02-20

URL: CVE-2019-8331

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#28236

Release Date: 2019-02-20

Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1

Step up your Open Source Security Game with WhiteSource here

CVE-2014-8350 (High) detected in vtigercrmvtigercrm-customerportal-7.1.0

CVE-2014-8350 - High Severity Vulnerability

Vulnerable Library - vtigercrmvtigercrm-customerportal-7.1.0

An enterprise-class CRM and more!

Library home page: https://sourceforge.net/projects/vtigercrm/

Found in HEAD commit: a55a57c63a788c0bcba470393fb375434dcf521b

Vulnerable Source Files (1)

/vca/www/libs/sysplugins/smarty_internal_parsetree.php

Vulnerability Details

Smarty before 3.1.21 allows remote attackers to bypass the secure mode restrictions and execute arbitrary PHP code as demonstrated by "{literal}<{/literal}script language=php>" in a template.

Publish Date: 2014-11-03

URL: CVE-2014-8350

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8350

Release Date: 2014-11-03

Fix Resolution: 3.1.21

Step up your Open Source Security Game with WhiteSource here

CVE-2018-16831 (Medium) detected in vtigercrmvtigercrm-customerportal-7.1.0

CVE-2018-16831 - Medium Severity Vulnerability

Vulnerable Library - vtigercrmvtigercrm-customerportal-7.1.0

An enterprise-class CRM and more!

Library home page: https://sourceforge.net/projects/vtigercrm/

Found in HEAD commit: a55a57c63a788c0bcba470393fb375434dcf521b

Vulnerable Source Files (1)

/vca/www/libs/sysplugins/smarty_security.php

Vulnerability Details

Smarty before 3.1.33-dev-4 allows attackers to bypass the trusted_dir protection mechanism via a file:./../ substring in an include statement.

Publish Date: 2018-09-11

URL: CVE-2018-16831

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16831

Release Date: 2018-09-11

Fix Resolution: v3.1.33

Step up your Open Source Security Game with WhiteSource here

INSTALL.md ?

Nice project.
I am going to install vca to my server, but where is the INSTALL document?

Create new vps

Hello i have a problem when i click create new vps, not show anything, cpu load go to 100% used by php5-fpm, i have check my apache logs and nothing.

Iam use ubuntu 14.04

Preview?

Can you provide some previews of the control panel?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.