Sensitive data disclosure and manipulation due to unnecessary privileges assignment. The following products are affected: Acronis Backup plugin for cPanel & WHM (Linux) before build 619, Acronis Backup extension for Plesk (Linux) before build 555, Acronis Backup plugin for DirectAdmin (Linux) before build 147.
The issue stems from improper privilege assignment (CWE-250 — Execution with Unnecessary Privileges), causing plugin components to operate with excessive system privileges. An authenticated remote attacker can exploit these privileges to gain access to sensitive data or modify it. The network attack vector with low complexity and no required user interaction makes exploitation relatively simple. The changed scope (Scope: Changed) indicates that impacts may extend beyond the directly vulnerable component.
An attacker with basic authentication level can disclose sensitive data or modify it, and potentially disrupt system availability, which in hosting environments can lead to data breach affecting multiple customers.
Update required: Acronis Backup plugin for cPanel & WHM (Linux) to build 619 or later, Acronis Backup extension for Plesk (Linux) to build 555 or later, Acronis Backup plugin for DirectAdmin (Linux) to build 147 or later. Details available in the vendor's advisory: https://security-advisory.acronis.com/advisories/SEC-4976
Acronis Backup plugin for cPanel & WHM (Linux) before build 619, Acronis Backup extension for Plesk (Linux) before build 555, Acronis Backup plugin for DirectAdmin (Linux) before build 147.
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H