github/myvesta
1
0
Fork 0
mirror of https://github.com/myvesta/vesta synced 2025-08-13 01:57:57 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Version 0.9.8-26-43 changelog

Browse source
This commit is contained in:
myvesta 2021-03-15 17:41:40 +01:00 committed by GitHub
commit 60a0f38ca7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 0 deletions

10
Changelog.md
View file

@ -1,3 +1,13 @@
Version 0.9.8-26-43 [15-Mar-2021]
==================================================
* [Security] fix for: CSRF remote code execution in UploadHandler.php - CVE-2021-28379 (Credits to: Fady Osman @fady_othman)
* [Security] fix for: Local privilege escalation from user account to admin account user via v-add-web-domain (Credits to: Two independent security researchers, Marti Guasch Jiménez and Francisco Andreu Sanz, working with the SSD Secure Disclosure program) (and also thanks to HestiaCP @hestiacp for fix)
* [Security] fix for: Local privilege escalation in v-generate-ssl-cert (potential user to admin or root escalation) (Credits to: Numan Türle @numanturle, thanks to HestiaCP @hestiacp for fix)
* [Security] fix for: Local privilege escalation in /web/api/ via v-make-tmp-file (probably admin to root escalation) (Credits to: Numan Türle @numanturle, thanks to HestiaCP @hestiacp for fix)
* [Security] fix for: Cross site scripting in /web/add/ip/ (admin to other admin XSS escalation) (Credits to: Numan Türle @numanturle, thanks to HestiaCP @hestiacp for fix)
* [Security] fix for: Admin to root escalation in v-activate-vesta-license (Credits to: Numan Türle @numanturle)
* [Security] Ensure HTML will not be displayed in list log page (Credits to: Kristan Kenney @kristankenney, thanks to HestiaCP @hestiacp for fix)
Version 0.9.8-26-42 [26-Feb-2021]
==================================================
* [Feature] Support for PHP 8.0, see: https://forum.myvestacp.com/viewtopic.php?f=18&t=52