CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 1CVE-2011-4852
https://notcve.org/view.php?id=CVE-2011-4852
The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 generates web pages containing external links in response to GET requests with query strings for enterprise/mobile-monitor/ and certain other files, which makes it easier for remote attackers to obtain sensitive information by reading (1) web-server access logs or (2) web-server Referer logs, related to a "cross-domain Referer leakage" issue. El panel de control de Parallels Plesk Panel 10.4.4_build20111103.18 genera páginas web que contienen enlaces externos en respuesta a peticiones GET con cadenas de búsqueda "enterprise/mobile-monitor/" y otros archivos determinados, lo que facilita a atacantes remotos obtener información confidencial leyendo (1) logs de acceso al servidor web o (2) logs Referer. Relacionado con un problema de pérdida de Referer entre dominios. • http://xss.cx/kb/parallels/xss-parallelspleskpanel.v10.4.4_build20111103.18-os_windows-2003-2008-reflected-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report.html https://exchange.xforce.ibmcloud.com/vulnerabilities/72095 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.3EPSS: 0%CPEs: 3EXPL: 0CVE-2011-4855
https://notcve.org/view.php?id=CVE-2011-4855
The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 omits the Content-Type header's charset parameter for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an interpretation conflict involving admin/customer-service-plan/list/reset-search/true/ and certain other files. NOTE: it is possible that only clients, not the Plesk product, could be affected by this issue. El panel de control de Parallels Plesk Panel 10.4.4_build20111103.18 omite el parámetro charset de la cabecera Content-Type para determinados recursos, lo que permite a atacantes remotos tener un impacto sin especificar utilizando un conflicto de interpretación que involucre "admin/customer-service-plan/list/reset-search/true/" y otros archivos determinados. NOTE: es posible que sólo clientes, no el producto Plesk, puedan estar afectado. • http://xss.cx/kb/parallels/xss-parallelspleskpanel.v10.4.4_build20111103.18-os_windows-2003-2008-reflected-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report.html https://exchange.xforce.ibmcloud.com/vulnerabilities/72092 •