CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-18793 – Parallels Plesk Panel 9.5 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2019-18793
Parallels Plesk Panel 9.5 allows XSS in target/locales/tr-TR/help/index.htm? via the "fileName" parameter. Parallels Plesk Panel versión 9.5, permite un ataque de tipo XSS en el archivo target/locales/tr-TR/help/index.htm por medio del parámetro "fileName". Parallels Plesk Panel version 9.5 suffers from a cross site scripting vulnerability. • http://packetstormsecurity.com/files/155175/Parallels-Plesk-Panel-9.5-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 2CVE-2017-9447
https://notcve.org/view.php?id=CVE-2017-9447
In the web interface of Parallels Remote Application Server (RAS) 15.5 Build 16140, a vulnerability exists due to improper validation of the file path when requesting a resource under the "RASHTML5Gateway" directory. A remote, unauthenticated attacker could exploit this weakness to read arbitrary files from the vulnerable system using path traversal sequences. En la interfaz web de Parallels Remote Application Server (RAS) 15.5 Build 16140, existe una vulnerabilidad debido a la validación incorrecta de la ruta de archivo al solicitar un recurso en el directorio "RASHTML5Gateway". Un atacante remoto no autenticado podría explotar esta debilidad para leer archivos arbitrarios del sistema vulnerable empleando secuencias de salto de directorio. • https://blog.runesec.com/2018/02/22/parallels-ras-path-traversal https://www.exploit-db.com/exploits/442321 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 17%CPEs: 4EXPL: 1CVE-2013-4878 – Plesk < 9.5.4 - Remote Command Execution
https://notcve.org/view.php?id=CVE-2013-4878
The default configuration of Parallels Plesk Panel 9.0.x and 9.2.x on UNIX, and Small Business Panel 10.x on UNIX, has an improper ScriptAlias directive for phppath, which makes it easier for remote attackers to execute arbitrary code via a crafted request, a different vulnerability than CVE-2012-1823. La configuración por defecto de Parallels Plesk Panel v9.0.x y v9.2.x en UNIX, y Small Business Panel v10.x en UNIX, tiene una directiva ScriptAlias incorrecta para phppath, lo que hace más facil para atacantes remotos ejecutar código arbitrario mediante una solicitud especialmente diseñada, una vulnerabilidad diferente a CVE-2012-1823. • https://www.exploit-db.com/exploits/25986 http://kb.parallels.com/116241 http://seclists.org/fulldisclosure/2013/Jun/21 http://www.kb.cert.org/vuls/id/673343 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2013-0133
https://notcve.org/view.php?id=CVE-2013-0133
Untrusted search path vulnerability in /usr/local/psa/admin/sbin/wrapper in Parallels Plesk Panel 11.0.9 allows local users to gain privileges via a crafted PATH environment variable. Vulnerabilidad de búsqueda no segura en la ruta /usr/local/psa/admin/sbin/wrapper de Parallels Plesk Panel v11.0.9 permite a usuarios locales conseguir privilegios a través de una variable de entorno PATH manipulada. • http://www.kb.cert.org/vuls/id/310500 •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2013-0132
https://notcve.org/view.php?id=CVE-2013-0132
The suexec implementation in Parallels Plesk Panel 11.0.9 contains a cgi-wrapper whitelist entry, which allows user-assisted remote attackers to execute arbitrary PHP code via a request containing crafted environment variables. La aplicación suexec en Parallels Plesk Panel v11.0.9 contiene una entrada de la lista blanca cgi-wrapper, que permite a atacantes remotos asistidos por el usuario ejecutar código PHP arbitrario a través de una solicitud que contiene variables de entorno manipulada. • http://www.kb.cert.org/vuls/id/310500 • CWE-94: Improper Control of Generation of Code ('Code Injection') •