618 matches found
CVE-2025-49618
In Plesk Obsidian 18.0.69, unauthenticated requests to /loginup.php can reveal an AWS accessKeyId, secretAccessKey, region, and endpoint...
PT-2025-27799 · Plesk · Plesk Obsidian
Name of the Vulnerable Software and Affected Versions: Plesk Obsidian version 18.0.69 Description: The issue allows unauthenticated requests to the "/login up.php" API endpoint to reveal sensitive AWS credentials, including accessKeyId, secretAccessKey, region, and endpoint. Recommendations: For...
Plesk Obsidian 安全漏洞
Plesk Obsidian is a hosting control panel from Plesk Switzerland. A security vulnerability exists in Plesk Obsidian version 18.0.69 that stems from an unauthenticated /loginup.php request that could disclose AWS credentials...
CVE-2025-49618
In Plesk Obsidian 18.0.69, unauthenticated requests to /loginup.php can reveal an AWS accessKeyId, secretAccessKey, region, and endpoint...
CVE-2025-49618
In Plesk Obsidian 18.0.69, unauthenticated requests to /loginup.php can reveal an AWS accessKeyId, secretAccessKey, region, and endpoint...
CVE-2025-49618
CVE-2025-49618 affects Plesk Obsidian 18.0.69. Unauthenticated requests to /login_up.php can disclose AWS credentials (accessKeyId, secretAccessKey, region, endpoint). Documented CVSSv3.1 base score 5.8 (Medium) with network attack vector, low attack complexity, no privileges required, and scope ...
CVE-2023-24044
A Host Header Injection issue on the Login page of Plesk Obsidian through 18.0.49 allows attackers to redirect users to malicious websites via a Host request header. NOTE: the vendor's position is "the ability to use arbitrary domain names to access the panel is an intended feature."...
CVE-2022-45130
Plesk Obsidian allows a CSRF attack, e.g., via the /api/v2/cli/commands REST API to change an Admin password. NOTE: Obsidian is a specific version of the Plesk product: version numbers were used through version 12, and then the convention was changed so that versions are identified by names...
CVE-2021-35976
The feature to preview a website in Plesk Obsidian 18.0.0 through 18.0.32 on Linux is vulnerable to reflected XSS via the /plesk-site-preview/ PATH, aka PFSI-62467. The attacker could execute JavaScript code in the victim's browser by using the link to preview sites hosted on the server...
CVE-2011-4768
The Site Editor aka SiteBuilder feature in Parallels Plesk Small Business Panel 10.2.0 omits the Content-Type header's charset parameter for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an interpretation conflict involving...
CVE-2011-4850
The Control Panel in Parallels Plesk Panel 10.4.4build20111103.18 does not include the HTTPOnly flag in a Set-Cookie header for a cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, as demonstrated by cookies used by...
CVE-2019-18793
Parallels Plesk Panel 9.5 allows XSS in target/locales/tr-TR/help/index.htm? via the "fileName" parameter...
CVE-2011-4746
The billing system for Parallels Plesk Panel 10.3.1build1013110726.09 does not disable the SSL 2.0 protocol, which makes it easier for remote attackers to conduct spoofing attacks by leveraging protocol weaknesses...
CVE-2013-4878
The default configuration of Parallels Plesk Panel 9.0.x and 9.2.x on UNIX, and Small Business Panel 10.x on UNIX, has an improper ScriptAlias directive for phppath, which makes it easier for remote attackers to execute arbitrary code via a crafted request, a different vulnerability than...
CVE-2011-4731
The Server Administration Panel in Parallels Plesk Panel 10.2.0build1011110331.18 includes an RFC 1918 IP address within a web page, which allows remote attackers to obtain potentially sensitive information by reading this page, as demonstrated by admin/home/admin and certain other files...
CVE-2013-0132
The suexec implementation in Parallels Plesk Panel 11.0.9 contains a cgi-wrapper whitelist entry, which allows user-assisted remote attackers to execute arbitrary PHP code via a request containing crafted environment variables...
CVE-2011-4777
Cross-site scripting XSS vulnerability in the Site Editor aka SiteBuilder feature in Parallels Plesk Panel 10.4.4build20111103.18 allows remote attackers to inject arbitrary web script or HTML via the login parameter to preferences.html...
CVE-2011-4766
The Site Editor aka SiteBuilder feature in Parallels Plesk Small Business Panel 10.2.0 allows remote attackers to obtain ASP source code via a direct request to wysiwyg/fckconfig.js. NOTE: CVE disputes this issue because ASP is only used in a JavaScript comment...
CVE-2025-24832
Arbitrary file overwrite during home directory recovery due to improper symbolic link handling. The following products are affected: Acronis Backup plugin for cPanel & WHM Linux before build 1.8.4.866, Acronis Backup plugin for cPanel & WHM Linux before build 1.9.1.892, Acronis Backup extension f...
CVE-2024-34014
Arbitrary file overwrite during recovery due to improper symbolic link handling. The following products are affected: Acronis Backup plugin for cPanel & WHM Linux before build 1.8.3.818, Acronis Backup plugin for cPanel & WHM Linux before build 1.9.1.892, Acronis Backup extension for Plesk Linux...