CVE-2011-4850

2022-10-0316:15:15

mitre

www.cve.org

control panel

parallels plesk panel

set-cookie

httponly

remote attackers

sensitive information

script access

6.1 Medium

AI Score

Confidence

Low

0.002 Low

EPSS

Percentile

60.4%

JSON

The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 does not include the HTTPOnly flag in a Set-Cookie header for a cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, as demonstrated by cookies used by help.php and certain other files.

References

xss.cx/kb/parallels/xss-parallelspleskpanel.v10.4.4_build20111103.18-os_windows-2003-2008-reflected-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report.html