An improper access control vulnerability in Axigen WebAdmin allows delegated admin accounts with zero permissions to bypass access control checks and gain unauthorized access to the SSL Certificates management endpoint, potentially leading to man-in-the-middle attacks, service disruption, or privilege escalation.
Details
Affected versions:
Axigen 10.3.x, 10.4.x, 10.5.x up to 10.5.56; fixed starting with 10.5.57
Axigen 10.6.x up to 10.6.25; fixed starting with 10.6.26
Vulnerability type: Improper Access Control
Affected component(s): Axigen WebAdmin
Prerequisites: The attacker must have a delegated admin account (even one with zero permissions assigned).
Description:
A flaw in the permission logic allows delegated admin accounts with insufficient privileges to access the SSL Certificates management endpoint (page=sslcerts). An admin account created with no permissions can bypass access control checks and:
- View SSL certificate files
- Download SSL certificate files
- Upload new SSL certificate files
- Delete existing SSL certificate files
This unauthorized access enables attackers to manipulate SSL certificates, potentially leading to man-in-the-middle attacks, service disruption, or domain impersonation. Additionally, attackers can leverage this access to trigger existing XSS vulnerabilities on the SSL Certificates page to attack other administrator accounts, potentially leading to complete system compromise.
Reported by: Osman Can Vural
Solution
Update now from your WebAdmin.