CVSS: 7.5EPSS: 17%CPEs: 4EXPL: 1CVE-2013-4878 – Plesk < 9.5.4 - Remote Command Execution
https://notcve.org/view.php?id=CVE-2013-4878
The default configuration of Parallels Plesk Panel 9.0.x and 9.2.x on UNIX, and Small Business Panel 10.x on UNIX, has an improper ScriptAlias directive for phppath, which makes it easier for remote attackers to execute arbitrary code via a crafted request, a different vulnerability than CVE-2012-1823. La configuración por defecto de Parallels Plesk Panel v9.0.x y v9.2.x en UNIX, y Small Business Panel v10.x en UNIX, tiene una directiva ScriptAlias incorrecta para phppath, lo que hace más facil para atacantes remotos ejecutar código arbitrario mediante una solicitud especialmente diseñada, una vulnerabilidad diferente a CVE-2012-1823. • https://www.exploit-db.com/exploits/25986 http://kb.parallels.com/116241 http://seclists.org/fulldisclosure/2013/Jun/21 http://www.kb.cert.org/vuls/id/673343 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 43EXPL: 0CVE-2012-1557
https://notcve.org/view.php?id=CVE-2012-1557
SQL injection vulnerability in admin/plib/api-rpc/Agent.php in Parallels Plesk Panel 7.x and 8.x before 8.6 MU#2, 9.x before 9.5 MU#11, 10.0.x before MU#13, 10.1.x before MU#22, 10.2.x before MU#16, and 10.3.x before MU#5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, as exploited in the wild in March 2012. Vulnerabilidad de inyección SQL en admin/plib/api-rpc/Agent.php de Parallels Plesk Panel 7.x y 8.x anteriores a 8.6 MU#2, 9.x anteriores a 9.5 MU#11, 10.0.x anteriores a MU#13, 10.1.x anteriores a MU#22, 10.2.x anteriores a MU#16, t 10.3.x anteriores a MU#5 permite a atacantes remotos ejecutar comandos SQL de su elección a través de vectores sin especificar, como se ha demostrado en ataques reales en marzo del 2012. • http://download1.parallels.com/Plesk/PP10/parallels-plesk-panel-10-linux-updates-release-notes.html#10216 http://download1.parallels.com/Plesk/PP10/parallels-plesk-panel-10-windows-updates-release-notes.html#10216 http://kb.parallels.com/en/113321 http://secunia.com/advisories/48262 http://www.cert.fi/haavoittuvuudet/2012/haavoittuvuus-2012-035.html http://www.h-online.com/security/news/item/Bug-in-Plesk-administration-software-is-being-actively-exploited-1446587.html http://www.openwall.com/lists/ • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •