CVE-2011-4768
https://notcve.org/view.php?id=CVE-2011-4768
The Site Editor (aka SiteBuilder) feature in Parallels Plesk Small Business Panel 10.2.0 omits the Content-Type header's charset parameter for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an interpretation conflict involving Wizard/Edit/Modules/Image and certain other files. NOTE: it is possible that only clients, not the Plesk product, could be affected by this issue. La característica "Site Editor" (SiteBuilder) de Parallels Plesk Small Business Panel 10.2.0 omite el parámetro charset de la cabecera Content-Type para determinados recursos, lo que permite a atacantes remotos tener un impacto sin especificar utilizando un conflicto de interpretación que involucre Wizard/Edit/Modules/Image y otros archivos determinados. NOTA: es posible que sólo clientes, no el producto Plesk, esten afectados por esta vulnerabilidad. • http://xss.cx/examples/plesk-reports/plesk-10.2.0-site-editor.html •
CVE-2011-4757
https://notcve.org/view.php?id=CVE-2011-4757
Parallels Plesk Small Business Panel 10.2.0 generates a password form field without disabling the autocomplete feature, which makes it easier for remote attackers to bypass authentication by leveraging an unattended workstation, as demonstrated by forms in smb/auth and certain other files. Parallels Plesk Small Business Panel 10.2.0 genera un campo de formulario de contraseña sin deshabilitar el autocompletado, lo que facilita a atacantes remotos evitar la autenticación accediendo a un ordenador desatentidido, como se ha demostrado en formularios de "smb/auth" y otros archivos determinados. • http://xss.cx/examples/plesk-reports/plesk-10.2.0.html https://exchange.xforce.ibmcloud.com/vulnerabilities/72209 • CWE-255: Credentials Management Errors •
CVE-2011-4756
https://notcve.org/view.php?id=CVE-2011-4756
Parallels Plesk Small Business Panel 10.2.0 does not include the HTTPOnly flag in a Set-Cookie header for a cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, as demonstrated by cookies used by domains/sitebuilder_edit.php and certain other files. Parallels Plesk Small Business Panel 10.2.0 no incluye el atributo HTTPOnly de una cabecera Set-Cookie para una cookie, lo que facilita a atacantes remotos obtener información confidencial a través de scripts que acceden a esta cookie, como se ha demostrado por cookies usadas en domains/sitebuilder_edit.php y otros archivos determinados. • http://xss.cx/examples/plesk-reports/plesk-10.2.0.html https://exchange.xforce.ibmcloud.com/vulnerabilities/72208 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2011-4764
https://notcve.org/view.php?id=CVE-2011-4764
Multiple cross-site scripting (XSS) vulnerabilities in the Site Editor (aka SiteBuilder) feature in Parallels Plesk Small Business Panel 10.2.0 allow remote attackers to inject arbitrary web script or HTML via crafted input to a PHP script, as demonstrated by Wizard/Edit/Modules/Image and certain other files. Multiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en la funcionalidad "Site Editor" (SiteBuilder) de Parallels Plesk Small Business Panel 10.2.0. Permite a atacantes remotos inyectar codigo de script web o código HTML de su elección a través de una entrada modificada a un script PHP, tal como se ha demostrado en "Wizard/Edit/Modules/Image" y otros determinados ficheros. • http://xss.cx/examples/plesk-reports/plesk-10.2.0-site-editor.html https://exchange.xforce.ibmcloud.com/vulnerabilities/72216 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2011-4759
https://notcve.org/view.php?id=CVE-2011-4759
Parallels Plesk Small Business Panel 10.2.0 generates web pages containing external links in response to GET requests with query strings for client@1/domain@1/hosting/file-manager/ and certain other files, which makes it easier for remote attackers to obtain sensitive information by reading (1) web-server access logs or (2) web-server Referer logs, related to a "cross-domain Referer leakage" issue. Parallels Plesk Small Business Panel 10.2.0 genera páginas web que contienen enlaces externos en respuesta a peticiones GET con peticiones de búsqueda de "client@1/domain@1/hosting/file-manager/" y otros archivos determinados, lo que facilita a atacantes remotos obtener información confidencial leyendo (1) los logs de acceso o (2) Referer del servidor web, relacionado con una filtración de Referer entre dominios. • http://xss.cx/examples/plesk-reports/plesk-10.2.0.html https://exchange.xforce.ibmcloud.com/vulnerabilities/72211 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •