Plesk
Monthly
Cross-tenant credential disclosure in WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to enumerate domains belonging to other tenants through the XML-RPC API, because ownership checks are applied only to certain lookup filters and schema validation is skipped for legacy protocol versions. Because affected FTP credentials are stored in cleartext, an attacker retrieves another tenant's FTP password and can pivot to executing code as that tenant's system user. No public exploit has been identified at time of analysis, but the flaw was reported via HackerOne and carries a CVSS 9.9 rating.
Privilege escalation in the Plesk web hosting control panel lets an authenticated low-privileged user abuse an improper authorization flaw in the XML API to inject arbitrary configuration directives, achieving arbitrary file write as root and full compromise of the underlying server. Rated CVSS 9.9 with a scope change, this turns any valid panel account into root on the host; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Uncontrolled search path element vulnerability in Plesk Installer affects version 3.27.0.0. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Plesk 17.0 through 18.0.31 version, is vulnerable to a Cross-Site Scripting. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cross-tenant credential disclosure in WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to enumerate domains belonging to other tenants through the XML-RPC API, because ownership checks are applied only to certain lookup filters and schema validation is skipped for legacy protocol versions. Because affected FTP credentials are stored in cleartext, an attacker retrieves another tenant's FTP password and can pivot to executing code as that tenant's system user. No public exploit has been identified at time of analysis, but the flaw was reported via HackerOne and carries a CVSS 9.9 rating.
Privilege escalation in the Plesk web hosting control panel lets an authenticated low-privileged user abuse an improper authorization flaw in the XML API to inject arbitrary configuration directives, achieving arbitrary file write as root and full compromise of the underlying server. Rated CVSS 9.9 with a scope change, this turns any valid panel account into root on the host; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Uncontrolled search path element vulnerability in Plesk Installer affects version 3.27.0.0. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Plesk 17.0 through 18.0.31 version, is vulnerable to a Cross-Site Scripting. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.