CVE-2021-45008

Vulnerability

Plesk Obsidian 18.0.37 suffers from an insecure permissions vulnerability [1]. The login request contains a Super admin flag parameter that is not properly validated, allowing any authenticated low-privileged user to escalate their role to administrator.

Exploitation

An attacker must have a valid user account with low privileges. The steps are: log in with the low-privileged account, capture the login request using a tool like Burp Suite, observe the Super admin flag parameter set to false, then log out. On the subsequent login attempt, intercept the request, change the Super admin flag parameter to true, and forward the request [1].

Impact

Successful exploitation grants the attacker full administrative rights over the Plesk instance. This includes access to sensitive information such as bank account details and other critical data [1].

Mitigation

The vendor states that this is a site-specific problem for websites of one or more Plesk users. As of the reference publication, no official patch or workaround has been released. Users should review their permission configurations and consider upgrading to a patched version if available. Not yet listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.