CVE-2019-18793 – Parallels Plesk Panel 9.5 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2019-18793
Parallels Plesk Panel 9.5 allows XSS in target/locales/tr-TR/help/index.htm? via the "fileName" parameter. Parallels Plesk Panel versión 9.5, permite un ataque de tipo XSS en el archivo target/locales/tr-TR/help/index.htm por medio del parámetro "fileName". Parallels Plesk Panel version 9.5 suffers from a cross site scripting vulnerability. • http://packetstormsecurity.com/files/155175/Parallels-Plesk-Panel-9.5-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-4878 – Plesk < 9.5.4 - Remote Command Execution
https://notcve.org/view.php?id=CVE-2013-4878
The default configuration of Parallels Plesk Panel 9.0.x and 9.2.x on UNIX, and Small Business Panel 10.x on UNIX, has an improper ScriptAlias directive for phppath, which makes it easier for remote attackers to execute arbitrary code via a crafted request, a different vulnerability than CVE-2012-1823. La configuración por defecto de Parallels Plesk Panel v9.0.x y v9.2.x en UNIX, y Small Business Panel v10.x en UNIX, tiene una directiva ScriptAlias incorrecta para phppath, lo que hace más facil para atacantes remotos ejecutar código arbitrario mediante una solicitud especialmente diseñada, una vulnerabilidad diferente a CVE-2012-1823. • https://www.exploit-db.com/exploits/25986 http://kb.parallels.com/116241 http://seclists.org/fulldisclosure/2013/Jun/21 http://www.kb.cert.org/vuls/id/673343 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2013-0133
https://notcve.org/view.php?id=CVE-2013-0133
Untrusted search path vulnerability in /usr/local/psa/admin/sbin/wrapper in Parallels Plesk Panel 11.0.9 allows local users to gain privileges via a crafted PATH environment variable. Vulnerabilidad de búsqueda no segura en la ruta /usr/local/psa/admin/sbin/wrapper de Parallels Plesk Panel v11.0.9 permite a usuarios locales conseguir privilegios a través de una variable de entorno PATH manipulada. • http://www.kb.cert.org/vuls/id/310500 •
CVE-2013-0132
https://notcve.org/view.php?id=CVE-2013-0132
The suexec implementation in Parallels Plesk Panel 11.0.9 contains a cgi-wrapper whitelist entry, which allows user-assisted remote attackers to execute arbitrary PHP code via a request containing crafted environment variables. La aplicación suexec en Parallels Plesk Panel v11.0.9 contiene una entrada de la lista blanca cgi-wrapper, que permite a atacantes remotos asistidos por el usuario ejecutar código PHP arbitrario a través de una solicitud que contiene variables de entorno manipulada. • http://www.kb.cert.org/vuls/id/310500 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2012-1557
https://notcve.org/view.php?id=CVE-2012-1557
SQL injection vulnerability in admin/plib/api-rpc/Agent.php in Parallels Plesk Panel 7.x and 8.x before 8.6 MU#2, 9.x before 9.5 MU#11, 10.0.x before MU#13, 10.1.x before MU#22, 10.2.x before MU#16, and 10.3.x before MU#5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, as exploited in the wild in March 2012. Vulnerabilidad de inyección SQL en admin/plib/api-rpc/Agent.php de Parallels Plesk Panel 7.x y 8.x anteriores a 8.6 MU#2, 9.x anteriores a 9.5 MU#11, 10.0.x anteriores a MU#13, 10.1.x anteriores a MU#22, 10.2.x anteriores a MU#16, t 10.3.x anteriores a MU#5 permite a atacantes remotos ejecutar comandos SQL de su elección a través de vectores sin especificar, como se ha demostrado en ataques reales en marzo del 2012. • http://download1.parallels.com/Plesk/PP10/parallels-plesk-panel-10-linux-updates-release-notes.html#10216 http://download1.parallels.com/Plesk/PP10/parallels-plesk-panel-10-windows-updates-release-notes.html#10216 http://kb.parallels.com/en/113321 http://secunia.com/advisories/48262 http://www.cert.fi/haavoittuvuudet/2012/haavoittuvuus-2012-035.html http://www.h-online.com/security/news/item/Bug-in-Plesk-administration-software-is-being-actively-exploited-1446587.html http://www.openwall.com/lists/ • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •