CVE-2021-35976
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The feature to preview a website in Plesk Obsidian 18.0.0 through 18.0.32 on Linux is vulnerable to reflected XSS via the /plesk-site-preview/ PATH, aka PFSI-62467. The attacker could execute JavaScript code in the victim's browser by using the link to preview sites hosted on the server. Authentication is not required to exploit the vulnerability.
La funcionalidad para previsualizar un sitio web en Plesk Obsidian 18.0.0 a 18.0.32 en Linux es vulnerable a XSS reflejado a través de /plesk-site-preview/ PATH, también conocido como PFSI-62467. El atacante podría ejecutar código JavaScript en el navegador de la víctima utilizando el enlace para previsualizar sitios alojados en el servidor. No se requiere autenticación para explotar la vulnerabilidad
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-06-30 CVE Reserved
- 2021-09-10 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://www.bouali.io/cves/cve-2021-35976 | Broken Link |
| URL | Date | SRC |
|---|---|---|
| https://tarekbouali.com/cves/cve-2021-35976 | 2024-08-04 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://support.plesk.com/hc/en-us/articles/4402990507026 | 2021-11-28 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Plesk Search vendor "Plesk" | Obsidian Search vendor "Plesk" for product "Obsidian" | >= 18.0.0 <= 18.0.32 Search vendor "Plesk" for product "Obsidian" and version " >= 18.0.0 <= 18.0.32" | - |
Affected
| ||||||