Page 18 of 149 results (0.010 seconds)

CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1

Multiple cross-site request forgery (CSRF) vulnerabilities in Parallels H-Sphere 3.3 Patch 1 allow remote attackers to hijack the authentication of admins for requests that (1) add group plans via admin/group_plans.html or (2) add extra packages via admin/extra_packs/create_extra_pack.html. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en Parallels H-Sphere v3.3 Patch 1, permite a atacantes remotos secuestrar la autenticación de los administradores para peticiones que (1) añade planes de grupo a través admin/group_plans.html o (2) añadir paquetes estra a través de admin/extra_packs/create_extra_pack.html. • http://osvdb.org/78505 http://packetstormsecurity.org/files/view/108972/VL-392.txt http://secunia.com/advisories/47556 http://www.vulnerability-lab.com/get_content.php?id=392 https://exchange.xforce.ibmcloud.com/vulnerabilities/72628 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 7.5EPSS: 0%CPEs: 43EXPL: 0

SQL injection vulnerability in admin/plib/api-rpc/Agent.php in Parallels Plesk Panel 7.x and 8.x before 8.6 MU#2, 9.x before 9.5 MU#11, 10.0.x before MU#13, 10.1.x before MU#22, 10.2.x before MU#16, and 10.3.x before MU#5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, as exploited in the wild in March 2012. Vulnerabilidad de inyección SQL en admin/plib/api-rpc/Agent.php de Parallels Plesk Panel 7.x y 8.x anteriores a 8.6 MU#2, 9.x anteriores a 9.5 MU#11, 10.0.x anteriores a MU#13, 10.1.x anteriores a MU#22, 10.2.x anteriores a MU#16, t 10.3.x anteriores a MU#5 permite a atacantes remotos ejecutar comandos SQL de su elección a través de vectores sin especificar, como se ha demostrado en ataques reales en marzo del 2012. • http://download1.parallels.com/Plesk/PP10/parallels-plesk-panel-10-linux-updates-release-notes.html#10216 http://download1.parallels.com/Plesk/PP10/parallels-plesk-panel-10-windows-updates-release-notes.html#10216 http://kb.parallels.com/en/113321 http://secunia.com/advisories/48262 http://www.cert.fi/haavoittuvuudet/2012/haavoittuvuus-2012-035.html http://www.h-online.com/security/news/item/Bug-in-Plesk-administration-software-is-being-actively-exploited-1446587.html http://www.openwall.com/lists/ • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0

The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1011110331.18 does not include the HTTPOnly flag in a Set-Cookie header for a cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, as demonstrated by cookies used by login_up.php3 and certain other files. El panel de administración del servidor de Parallels Plesk Panel 10.2.0_build1011110331.18 no incluye la etiqueta HTTPOnly en una cabecera Set-Cookie para una cookie, lo que facilita a atacantes remotos obtener información confidencial a través un script que acceda a esta cookie, tal como se ha demostrado con cookies utilizadas en login_up.php3 y otros archivos concretos. • http://xss.cx/examples/plesk-reports/plesk-redhat-el6-psa-10.2.0-build-1011110331.18-xss-sqli-cwe79-cwe89-javascript-injection-exception-example-poc-report-paros-burp-suite-pro-1.4.1.html https://exchange.xforce.ibmcloud.com/vulnerabilities/72330 •

CVSS: 9.3EPSS: 0%CPEs: 3EXPL: 0

The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 generates a password form field without disabling the autocomplete feature, which makes it easier for remote attackers to bypass authentication by leveraging an unattended workstation, as demonstrated by forms in server/google-tools/ and certain other files. El panel de control de Parallels Plesk Panel 10.4.4_build20111103.18 genera un campo de formulario de contraseña sin deshabilitar el autocompletado, lo que facilita a atacantes remotos eviar la autenticación accediendo a un ordenador desatendido. Tal como se ha demostrado por formularios en "server/google-tools/" y otros archivos determinados. • http://xss.cx/kb/parallels/xss-parallelspleskpanel.v10.4.4_build20111103.18-os_windows-2003-2008-reflected-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report.html https://exchange.xforce.ibmcloud.com/vulnerabilities/72226 • CWE-255: Credentials Management Errors •

CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0

The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 includes a submitted password within an HTTP response body, which allows remote attackers to obtain sensitive information by sniffing the network, as demonstrated by password handling in certain files under client@1/domain@1/backup/local-repository/. El panel de control de Parallels Plesk Panel 10.4.4_build20111103.18 incluye una contraseña suministrada ("submitted") dentro del cuerpo de la respuesta HTTP, lo que facilita a atacantes remotos obtener información confidencial interceptando el tráfico de red. Tal como se ha demostrado por el manejo de la contraseña en determinados archivos bajo client@1/domain@1/backup/local-repository/. • http://xss.cx/kb/parallels/xss-parallelspleskpanel.v10.4.4_build20111103.18-os_windows-2003-2008-reflected-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report.html https://exchange.xforce.ibmcloud.com/vulnerabilities/72223 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •