cbcvebase.

Parallels Plesk Panel vulnerabilities

42 known vulnerabilities affecting parallels/parallels_plesk_panel.

Total CVEs
42
CISA KEV
0
Public exploits
1
Exploited in wild
2
Severity breakdown
CRITICAL12HIGH6MEDIUM24

Vulnerabilities

Page 1 of 3
CVE-2013-4878P2HIGHCVSS 7.5ExploitedPoCv9.0v9.22013-07-18
CVE-2013-4878 [HIGH] CVE-2013-4878: The default configuration of Parallels Plesk Panel 9.0.x and 9.2.x on UNIX, and Small Business Panel The default configuration of Parallels Plesk Panel 9.0.x and 9.2.x on UNIX, and Small Business Panel 10.x on UNIX, has an improper ScriptAlias directive for phppath, which makes it easier for remote attackers to execute arbitrary code via a crafted request, a different vulnerability than CVE-2012-1823.
nvd
CVE-2012-1557P2HIGHCVSS 7.5Exploitedv7.0v7.6.1+15 more2012-03-12
CVE-2012-1557 [HIGH] CWE-89 CVE-2012-1557: SQL injection vulnerability in admin/plib/api-rpc/Agent.php in Parallels Plesk Panel 7.x and 8.x bef SQL injection vulnerability in admin/plib/api-rpc/Agent.php in Parallels Plesk Panel 7.x and 8.x before 8.6 MU#2, 9.x before 9.5 MU#11, 10.0.x before MU#13, 10.1.x before MU#22, 10.2.x before MU#16, and 10.3.x before MU#5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, as exploited in the wild in March 2012.
nvd
CVE-2011-4739P3CRITICALCVSS 10.0v10.2.0_build20110407.202011-12-16
CVE-2011-4739 [CRITICAL] CWE-255 CVE-2011-4739: The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 generates a password form field The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 generates a password form field without disabling the autocomplete feature, which makes it easier for remote attackers to bypass authentication by leveraging an unattended workstation, as demonstrated by forms in smb/my-profile and certain other files.
nvd
CVE-2011-4851P3CRITICALCVSS 9.3v10.4.4_build20111103.182011-12-16
CVE-2011-4851 [CRITICAL] CWE-255 CVE-2011-4851: The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 generates a password form field w The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 generates a password form field without disabling the autocomplete feature, which makes it easier for remote attackers to bypass authentication by leveraging an unattended workstation, as demonstrated by forms in server/google-tools/ and certain other files.
nvd
CVE-2011-4730P3CRITICALCVSS 10.0v10.2.0_build1011110331.182011-12-16
CVE-2011-4730 [CRITICAL] CWE-255 CVE-2011-4730: The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1011110331.18 generates a passw The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1011110331.18 generates a password form field without disabling the autocomplete feature, which makes it easier for remote attackers to bypass authentication by leveraging an unattended workstation, as demonstrated by forms in admin/reseller/login-info/ and certain other files.
nvd
CVE-2011-4749P3CRITICALCVSS 10.0v10.3.1_build1013110726.092011-12-16
CVE-2011-4749 [CRITICAL] CWE-255 CVE-2011-4749: The billing system for Parallels Plesk Panel 10.3.1_build1013110726.09 generates a password form fie The billing system for Parallels Plesk Panel 10.3.1_build1013110726.09 generates a password form field without disabling the autocomplete feature, which makes it easier for remote attackers to bypass authentication by leveraging an unattended workstation, as demonstrated by forms on certain pages under admin/index.php/default.
nvd
CVE-2011-4744P3CRITICALCVSS 10.0v10.2.0_build20110407.202011-12-16
CVE-2011-4744 [CRITICAL] CVE-2011-4744: The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 sends incorrect Content-Type hea The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 sends incorrect Content-Type headers for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an interpretation conflict involving smb/admin-home/featured-applications/ and certain other files. NOTE: it is possible that only clients, not the Ples
nvd
CVE-2011-4743P3CRITICALCVSS 10.0v10.2.0_build20110407.202011-12-16
CVE-2011-4743 [CRITICAL] CVE-2011-4743: The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 omits the Content-Type header's The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 omits the Content-Type header's charset parameter for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an interpretation conflict involving smb/user/create and certain other files. NOTE: it is possible that only clients, not the Plesk product,
nvd
CVE-2011-4732P3CRITICALCVSS 10.0v10.2.0_build1011110331.182011-12-16
CVE-2011-4732 [CRITICAL] CVE-2011-4732: The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1011110331.18 omits the Content The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1011110331.18 omits the Content-Type header's charset parameter for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an interpretation conflict involving account/power-mode-logout and certain other files. NOTE: it is possible that only clien
nvd
CVE-2011-4733P3CRITICALCVSS 10.0v10.2.0_build1011110331.182011-12-16
CVE-2011-4733 [CRITICAL] CVE-2011-4733: The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1011110331.18 sends incorrect C The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1011110331.18 sends incorrect Content-Type headers for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an interpretation conflict involving smb/admin-home/disable-featured-applications-promo and certain other files. NOTE: it is possible tha
nvd
CVE-2011-4725P3HIGHCVSS 7.5v10.2.0_build1011110331.182011-12-16
CVE-2011-4725 [HIGH] CWE-89 CVE-2011-4725: Multiple SQL injection vulnerabilities in the Server Administration Panel in Parallels Plesk Panel 1 Multiple SQL injection vulnerabilities in the Server Administration Panel in Parallels Plesk Panel 10.2.0_build1011110331.18 allow remote attackers to execute arbitrary SQL commands via crafted input to a PHP script, as demonstrated by login_up.php3 and certain other files.
nvd
CVE-2011-4856P3CRITICALCVSS 9.3v10.4.4_build20111103.182011-12-16
CVE-2011-4856 [CRITICAL] CVE-2011-4856: The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 sends incorrect Content-Type head The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 sends incorrect Content-Type headers for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an interpretation conflict involving admin/health/parameters and certain other files. NOTE: it is possible that only clients, not the Plesk product, coul
nvd
CVE-2011-4734P3HIGHCVSS 7.5v10.2.0_build20110407.202011-12-16
CVE-2011-4734 [HIGH] CWE-89 CVE-2011-4734: Multiple SQL injection vulnerabilities in the Control Panel in Parallels Plesk Panel 10.2.0 build 20 Multiple SQL injection vulnerabilities in the Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 allow remote attackers to execute arbitrary SQL commands via crafted input to a PHP script, as demonstrated by file-manager/ and certain other files.
nvd
CVE-2011-4847P3HIGHCVSS 7.5v10.4.4_build20111103.182011-12-16
CVE-2011-4847 [HIGH] CWE-89 CVE-2011-4847: SQL injection vulnerability in the Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 al SQL injection vulnerability in the Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 allows remote attackers to execute arbitrary SQL commands via a certificateslist cookie to notification@/.
nvd
CVE-2011-4854P3CRITICALCVSS 9.3v10.4.4_build20111103.182011-12-16
CVE-2011-4854 [CRITICAL] CVE-2011-4854: The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 does not ensure that Content-Type The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 does not ensure that Content-Type HTTP headers match the corresponding Content-Type data in HTML META elements, which might allow remote attackers to have an unspecified impact by leveraging an interpretation conflict involving the get_enabled_product_icon program. NOTE: it is possible that
nvd
CVE-2011-4855P3CRITICALCVSS 9.3v10.4.4_build20111103.182011-12-16
CVE-2011-4855 [CRITICAL] CVE-2011-4855: The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 omits the Content-Type header's c The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 omits the Content-Type header's charset parameter for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an interpretation conflict involving admin/customer-service-plan/list/reset-search/true/ and certain other files. NOTE: it is possible that
nvd
CVE-2011-4727P3CRITICALCVSS 10.0v10.2.0_build1011110331.182011-12-16
CVE-2011-4727 [CRITICAL] CWE-20 CVE-2011-4727: The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1011110331.18 does not properly The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1011110331.18 does not properly validate string data that is intended for storage in an XML document, which allows remote attackers to cause a denial of service (parsing error) or possibly have unspecified other impact via a crafted REST URL parameter, as demonstrated by parameters
nvd
CVE-2013-0132P4MEDIUMCVSS 6.8v11.0.92013-04-18
CVE-2013-0132 [MEDIUM] CWE-94 CVE-2013-0132: The suexec implementation in Parallels Plesk Panel 11.0.9 contains a cgi-wrapper whitelist entry, wh The suexec implementation in Parallels Plesk Panel 11.0.9 contains a cgi-wrapper whitelist entry, which allows user-assisted remote attackers to execute arbitrary PHP code via a request containing crafted environment variables.
nvd
CVE-2013-0133P4HIGHCVSS 7.2v11.0.92013-04-18
CVE-2013-0133 [HIGH] CVE-2013-0133: Untrusted search path vulnerability in /usr/local/psa/admin/sbin/wrapper in Parallels Plesk Panel 11 Untrusted search path vulnerability in /usr/local/psa/admin/sbin/wrapper in Parallels Plesk Panel 11.0.9 allows local users to gain privileges via a crafted PATH environment variable.
nvd
CVE-2019-18793P4MEDIUMCVSS 6.1v9.52019-11-13
CVE-2019-18793 [MEDIUM] CWE-79 CVE-2019-18793: Parallels Plesk Panel 9.5 allows XSS in target/locales/tr-TR/help/index.htm? via the "fileName" para Parallels Plesk Panel 9.5 allows XSS in target/locales/tr-TR/help/index.htm? via the "fileName" parameter.
nvd
Parallels Plesk Panel vulnerabilities | cvebase