CVE-2025-54336

In Plesk Obsidian 18.0.70, _isAdminPasswordValid uses an == comparison. Thus, if the correct password is "0e" followed by any digit string, then an attacker can login with any other string that evaluates to 0.0 (such as the 0e0 string). This occurs in admin/plib/LoginManager.php.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://support.plesk.com/hc/en-us/articles/33785727869847-Vulnerability-CVE-2025-54336
https://www.plesk.com/blog/plesk-news-announcements/introducing-plesk-obsidian-18-0-70-anniversary-edition/

Configurations

No configuration.

History

20 Aug 2025, 14:40

Type	Values Removed	Values Added
Summary		(es) En Plesk Obsidian 18.0.70, _isAdminPasswordValid utiliza una comparación ==. Por lo tanto, si la contraseña correcta es "0e" seguida de cualquier cadena de dígitos, un atacante puede iniciar sesión con cualquier otra cadena que evalúe 0.0 (como la cadena 0e0). Esto ocurre en admin/plib/LoginManager.php.

19 Aug 2025, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-19 14:15

Updated : 2025-08-20 14:40

NVD link : CVE-2025-54336

Mitre link : CVE-2025-54336

CVE.ORG link : CVE-2025-54336

JSON object : View

Products Affected

No product.

CWE

CWE-697

Incorrect Comparison

9.8 /10