CVE-2020-36948

high

Description

VestaCP 0.9.8-26 contains a session token vulnerability in the LoginAs module that allows remote attackers to manipulate authentication tokens. Attackers can exploit insufficient token validation to access user accounts and perform unauthorized login requests without proper administrative permissions.

References

https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.

https://www.vulnerability-lab.com/get_content.php?id=2240

https://www.vulncheck.com/advisories/vestacp-loginas-insufficient-session-validation

https://www.exploit-db.com/exploits/49219

https://vestacp.com/

Details

Source: Mitre, NVD

Published: 2026-01-27

Updated: 2026-01-29

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

CVSS v4

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Severity: High

EPSS

EPSS: 0.00235