Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

CVE-2021-45008

Privilege Escalation from user to admin

Affected product and version: Plesk Obsidian 18.0.37

Severity: Critical

Impact: Gain high privilege from user to admin and access critical information

Description: insecure permissions vulnerability that allows unprivilege user to get admin rights.

Steps to reproduce:

  1. Login with user account with low roles
  2. Capture the request with burp

image

  1. Will note that the Super admin flag parameter is false
  2. Forward the request to login

image

  1. Now logout and enter credentials to login again and capture the request

  2. Change the value of Super admin flag parameter from false to true and forward the request image

  3. Will see more information like bank account and other info

image