CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2013-0132
https://notcve.org/view.php?id=CVE-2013-0132
The suexec implementation in Parallels Plesk Panel 11.0.9 contains a cgi-wrapper whitelist entry, which allows user-assisted remote attackers to execute arbitrary PHP code via a request containing crafted environment variables. La aplicación suexec en Parallels Plesk Panel v11.0.9 contiene una entrada de la lista blanca cgi-wrapper, que permite a atacantes remotos asistidos por el usuario ejecutar código PHP arbitrario a través de una solicitud que contiene variables de entorno manipulada. • http://www.kb.cert.org/vuls/id/310500 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 43EXPL: 0CVE-2012-1557
https://notcve.org/view.php?id=CVE-2012-1557
SQL injection vulnerability in admin/plib/api-rpc/Agent.php in Parallels Plesk Panel 7.x and 8.x before 8.6 MU#2, 9.x before 9.5 MU#11, 10.0.x before MU#13, 10.1.x before MU#22, 10.2.x before MU#16, and 10.3.x before MU#5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, as exploited in the wild in March 2012. Vulnerabilidad de inyección SQL en admin/plib/api-rpc/Agent.php de Parallels Plesk Panel 7.x y 8.x anteriores a 8.6 MU#2, 9.x anteriores a 9.5 MU#11, 10.0.x anteriores a MU#13, 10.1.x anteriores a MU#22, 10.2.x anteriores a MU#16, t 10.3.x anteriores a MU#5 permite a atacantes remotos ejecutar comandos SQL de su elección a través de vectores sin especificar, como se ha demostrado en ataques reales en marzo del 2012. • http://download1.parallels.com/Plesk/PP10/parallels-plesk-panel-10-linux-updates-release-notes.html#10216 http://download1.parallels.com/Plesk/PP10/parallels-plesk-panel-10-windows-updates-release-notes.html#10216 http://kb.parallels.com/en/113321 http://secunia.com/advisories/48262 http://www.cert.fi/haavoittuvuudet/2012/haavoittuvuus-2012-035.html http://www.h-online.com/security/news/item/Bug-in-Plesk-administration-software-is-being-actively-exploited-1446587.html http://www.openwall.com/lists/ • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0CVE-2011-4729
https://notcve.org/view.php?id=CVE-2011-4729
The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1011110331.18 does not include the HTTPOnly flag in a Set-Cookie header for a cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, as demonstrated by cookies used by login_up.php3 and certain other files. El panel de administración del servidor de Parallels Plesk Panel 10.2.0_build1011110331.18 no incluye la etiqueta HTTPOnly en una cabecera Set-Cookie para una cookie, lo que facilita a atacantes remotos obtener información confidencial a través un script que acceda a esta cookie, tal como se ha demostrado con cookies utilizadas en login_up.php3 y otros archivos concretos. • http://xss.cx/examples/plesk-reports/plesk-redhat-el6-psa-10.2.0-build-1011110331.18-xss-sqli-cwe79-cwe89-javascript-injection-exception-example-poc-report-paros-burp-suite-pro-1.4.1.html https://exchange.xforce.ibmcloud.com/vulnerabilities/72330 •
CVSS: 9.3EPSS: 0%CPEs: 3EXPL: 0CVE-2011-4851
https://notcve.org/view.php?id=CVE-2011-4851
The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 generates a password form field without disabling the autocomplete feature, which makes it easier for remote attackers to bypass authentication by leveraging an unattended workstation, as demonstrated by forms in server/google-tools/ and certain other files. El panel de control de Parallels Plesk Panel 10.4.4_build20111103.18 genera un campo de formulario de contraseña sin deshabilitar el autocompletado, lo que facilita a atacantes remotos eviar la autenticación accediendo a un ordenador desatendido. Tal como se ha demostrado por formularios en "server/google-tools/" y otros archivos determinados. • http://xss.cx/kb/parallels/xss-parallelspleskpanel.v10.4.4_build20111103.18-os_windows-2003-2008-reflected-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report.html https://exchange.xforce.ibmcloud.com/vulnerabilities/72226 • CWE-255: Credentials Management Errors •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2011-4848
https://notcve.org/view.php?id=CVE-2011-4848
The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 includes a submitted password within an HTTP response body, which allows remote attackers to obtain sensitive information by sniffing the network, as demonstrated by password handling in certain files under client@1/domain@1/backup/local-repository/. El panel de control de Parallels Plesk Panel 10.4.4_build20111103.18 incluye una contraseña suministrada ("submitted") dentro del cuerpo de la respuesta HTTP, lo que facilita a atacantes remotos obtener información confidencial interceptando el tráfico de red. Tal como se ha demostrado por el manejo de la contraseña en determinados archivos bajo client@1/domain@1/backup/local-repository/. • http://xss.cx/kb/parallels/xss-parallelspleskpanel.v10.4.4_build20111103.18-os_windows-2003-2008-reflected-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report.html https://exchange.xforce.ibmcloud.com/vulnerabilities/72223 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •