CVE-2020-36948 | THREATINT

Description

VestaCP 0.9.8-26 contains a session token vulnerability in the LoginAs module that allows remote attackers to manipulate authentication tokens. Attackers can exploit insufficient token validation to access user accounts and perform unauthorized login requests without proper administrative permissions.

PUBLISHED Reserved 2026-01-25 | Published 2026-01-27 | Updated 2026-01-27 | Assigner VulnCheck

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

Incorrect Authorization

Product status

0.9.8-26

affected

Credits

Vulnerability-Lab finder

References

www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. exploit

www.exploit-db.com/exploits/49219 exploit

www.vulnerability-lab.com/get_content.php?id=2240 exploit

www.exploit-db.com/exploits/49219 (ExploitDB-49219) exploit

vestacp.com/ (VestaCP Official Homepage) product

www.vulnerability-lab.com/get_content.php?id=2240 (Vulnerability Lab Advisory) technical-description exploit

www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. (Benjamin Kunz Mejri Profile) vendor-advisory

www.vulncheck.com/...loginas-insufficient-session-validation (VulnCheck Advisory: VestaCP 0.9.8-26 - 'LoginAs' Insufficient Session Validation) third-party-advisory

cve.org (CVE-2020-36948)

nvd.nist.gov (CVE-2020-36948)

Download JSON