Vulnerability in Plesk’s MS SQL database user password update mechanism

Situation

A critical security vulnerability has been discovered in Plesk’s MS SQL database user password update mechanism, allowing local privilege escalation via SQL injection during the process of changing an MS SQL database user password.

Impact

Local privilege escalation (LPE) is possible.

Call to action

The fix for the issue has been released. Update Plesk to 18.0.76 Update 6 or 18.0.77 Update 2 to install it by following the steps from this guide: How to install Plesk updates