Let’s delve into a list of Plesk vulnerabilities and understand their implications. Our Plesk Support team is here to help you with your questions and concerns.
Plesk Vulnerabilities List: Safeguard Your Server
Plesk is a popular web hosting control panel. However, it has fallen victim to various security vulnerabilities over the years, affecting multiple versions of the software. These vulnerabilities can pose significant risks to server integrity and data security.
This is why we need to implement robust security measures and ensure consistent updates to avoid potential threats. Let’s look at some notable Plesk vulnerabilities and understand their implications.
Subscribe to our newsletter for the latest updates, news, and features.
Key Plesk Vulnerabilities
CVE-2023-4931
An uncontrolled search path element vulnerability in Plesk Installer version 3.27.0.0 lets a local attacker to execute arbitrary code. This is done by injecting DLL files into the application’s folder.
This leads to DLL hijacking in files like edputil.dll, samlib.dll, urlmon.dll, sspicli.dll, propsys.dll, and profapi.dll.
CVE-2023-43784
Plesk Onyx 17.8.11 has fields related to an Amazon AWS Firehose component, specifically accessKeyId and secretAccessKey. The presence of these fields could be a potential vulnerability.
CVE-2023-24044
A host header injection issue on the login page of Plesk Obsidian through version 18.0.49 lets attackers redirect users to malicious websites via a host request header.
CVE-2023-0829
Furthermore, Versions of Plesk from 17.0 through 18.0.31 are vulnerable to cross-site scripting (XSS). This can be a problem if the administrator visits a specific page in Plesk related to the malicious subscription.
CVE-2022-45130
Additionally, Plesk Obsidian is susceptible to a cross-site request forgery (CSRF) attack via the /api/v2/cli/commands REST API, which can change an admin password. This is specific to Plesk’s naming convention post-version 12.
CVE-2021-45008
Plesk CMS version 18.0.37 has an insecure permissions vulnerability that allows privilege escalation from user to admin rights.
CVE-2021-45007
Also, version 18.0.37 of Plesk also suffers from a CSRF vulnerability, enabling an attacker to insert data into the user and admin panels.
CVE-2020-11584
Furthermore, a GET-based reflected XSS vulnerability in Plesk Onyx version 17.8.11 lets remote unauthenticated users inject arbitrary JavaScript, HTML, or CSS via a GET parameter.
CVE-2020-11583
Similarly, Plesk Obsidian version 18.0.17 has a GET-based reflected XSS vulnerability allowing remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.
[Need assistance with a different issue? Our team is available 24/7.]
Conclusion
In brief, our Support Experts introduced us to the many Plesk vulnerabilities and their implications.