CVE-2025-54336
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-19

Last updated on: 2025-08-26

Assigner: MITRE

Description
In Plesk Obsidian 18.0.70, _isAdminPasswordValid uses an == comparison. Thus, if the correct password is "0e" followed by any digit string, then an attacker can login with any other string that evaluates to 0.0 (such as the 0e0 string). This occurs in admin/plib/LoginManager.php.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-19
Last Modified
2025-08-26
Generated
2026-05-07
AI Q&A
2025-08-19
EPSS Evaluated
2026-05-05
NVD
CVE-2025-54336
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
plesk plesk_obsidian 18.0.71
plesk plesk_obsidian 18.0.70
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-697 The product compares two entities in a security-relevant context, but the comparison is incorrect.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

In Plesk Obsidian 18.0.70, the function _isAdminPasswordValid uses an == comparison that causes a type juggling vulnerability. If the correct admin password starts with "0e" followed by digits, an attacker can bypass authentication by providing any other string that evaluates to 0.0 (like "0e0"), allowing unauthorized login.


How can this vulnerability impact me? :

This vulnerability allows an attacker to bypass admin authentication without knowing the actual password, potentially gaining full administrative access. This can lead to complete compromise of the system, including unauthorized data access, modification, and disruption of services.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart