CVE-2023-5839 - Privilege Chaining

Severity

78%

Complexity

18%

Confidentiality

98%

Privilege Chaining in GitHub repository hestiacp/hestiacp prior to 1.8.9.

CVSS 3.1 Base Score 7.8. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Demo Examples

Privilege Chaining

CWE-268

This code allows someone with the role of "ADMIN" or "OPERATOR" to reset a user's password. The role of "OPERATOR" is intended to have less privileges than an "ADMIN", but still be able to help users with small issues such as forgotten passwords.


               
}
ADMIN,OPERATOR,USER,GUEST

                     
}

                           
}

                                 
}
break;
break;
break;
System.out.println("You must be logged in to perform this command");

This code does not check the role of the user whose password is being reset. It is possible for an Operator to gain Admin privileges by resetting the password of an Admin account and taking control of that account.

Overview

First reported 1 year ago

2023-10-29 01:15:00

Last updated 1 year ago

2023-11-08 02:35:00

Affected Software

Hestia Control Panel

References

https://huntr.com/bounties/21125f12-64a0-42a3-b218-26b9945a5bc0

https://github.com/hestiacp/hestiacp/commit/acb766e1db53de70534524b3fbc2270689112630

https://huntr.com/bounties/21125f12-64a0-42a3-b218-26b9945a5bc0

Exploit, Patch, Third Party Advisory

https://github.com/hestiacp/hestiacp/commit/acb766e1db53de70534524b3fbc2270689112630

Patch

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.