Privilege Escalation from user to admin
Affected product and version: Plesk Obsidian 18.0.37
Severity: Critical
Impact: Gain high privilege from user to admin and access critical information
Description: insecure permissions vulnerability that allows unprivilege user to get admin rights.
Steps to reproduce:
- Login with user account with low roles
- Capture the request with burp
- Will note that the Super admin flag parameter is false
- Forward the request to login
-
Now logout and enter credentials to login again and capture the request
-
Change the value of Super admin flag parameter from false to true and forward the request
-
Will see more information like bank account and other info
