CVE Daily
← All tags

Tag: Plesk

All CVEs associated with "Plesk". Page 1/1 • 88 CVEs.

About “Plesk”

A curated feed of “Plesk”-related CVEs appears below. We currently track 88 CVEs for this tag (all time). In the last 365 days, 6 were published. Average CVSS is 6.6 (all time; 8.3 over 365d), and 41% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-643 - Improper Neutralization of Data within XPath Expressions ('XPath Injection'), CWE-400 - Uncontrolled Resource Consumption, CWE-284 - Improper Access Control.

In our taxonomy this topic maps to a LOW impact class. Hosting control panels manage many sites and credentials. Patch promptly, restrict panel access by IP, enforce MFA, back up configs, and review extensions. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: plesk

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestEOLLTS
18.0.7818.0.78.3 Soon
18.0.7718.0.77.5 Soon
18.0.7618.0.76.6 Expired
18.0.7518.0.75.1 Expired
18.0.7418.0.74.3 Expired
18.0.7318.0.73.5 Expired
18.0.7218.0.72.3 Expired
18.0.7118.0.71.2 Expired
18.0.7018.0.70.4 Expired
18.0.6918.0.69.4 Expired
18.0.6818.0.68.2 Expired
18.0.6718.0.67.3 Expired
18.0.6618.0.66.2 Expired
18.0.6518.0.65.2 Expired
18.0.6418.0.64.1 Expired
18.0.6318.0.63.4 Expired
18.0.6218.0.62.2 Expired
18.0.6118.0.61.6 Expired
18.0.6018.0.60.1 Expired
18.0.5918.0.59.2 Expired
18.0.5818.0.58.2 Expired
18.0.5718.0.57.5 Expired
18.0.5618.0.56.4 Expired
18.0.5518.0.55.2 Expired
18.0.5418.0.54.4 Expired
18.0.5318.0.53.2 Expired
18.0.5218.0.52.3 Expired
18.0.5118.0.51.1 Expired
18.0.5018.0.50.2 Expired
18.0.4918.0.49.2 Expired
1717.8.11.95 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS  ·  RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “Plesk”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-05-29
Critical

CVE-2026-44962

Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This all…

CVSS: 9.9 CWE: CWE-643 - Improper Neutralization of Data within XPath Expressions ('XPath Injection') View on NVD
2026-01-08
High

CVE-2025-65518

Plesk Obsidian versions 8.0.1 through 18.0.73 are vulnerable to a Denial of Service (DoS) condition. The vulnerability exists in the get_password.php endpoint, where a crafted request containing a ma…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2025-12-12
Critical

CVE-2025-66430

Plesk 18.0 has Incorrect Access Control.

CVSS: 9.1 CWE: CWE-284 - Improper Access Control View on NVD
2025-12-03
High

CVE-2025-66431

WebPros Plesk before 18.0.73.5 and 18.0.74 before 18.0.74.2 on Linux allows remote authenticated users to execute arbitrary code as root via domain creation. The attacker needs "Create and manage sit…

CVSS: 7.8 CWE: CWE-61 - UNIX Symbolic Link (Symlink) Following View on NVD
2025-08-19
Critical

CVE-2025-54336

In Plesk Obsidian 18.0.70, _isAdminPasswordValid uses an == comparison. Thus, if the correct password is "0e" followed by any digit string, then an attacker can login with any other string that evalu…

CVSS: 9.8 CWE: CWE-697 - Incorrect Comparison View on NVD
2025-07-03
Medium

CVE-2025-49618

In Plesk Obsidian 18.0.69, unauthenticated requests to /login_up.php can reveal an AWS accessKeyId, secretAccessKey, region, and endpoint.

CVSS: 5.8 CWE: CWE-402 - Transmission of Private Resources into a New Sphere ('Resource Leak') View on NVD
2025-02-27
Medium

CVE-2025-24832

Arbitrary file overwrite during home directory recovery due to improper symbolic link handling. The following products are affected: Acronis Backup plugin for cPanel & WHM (Linux) before build 1.8.4.…

CVSS: 5.5 CWE: CWE-61 - UNIX Symbolic Link (Symlink) Following View on NVD
2024-11-11
Medium

CVE-2024-34014

Arbitrary file overwrite during recovery due to improper symbolic link handling. The following products are affected: Acronis Backup plugin for cPanel & WHM (Linux) before build 1.8.3.818, Acronis Ba…

CVSS: 5.5 CWE: CWE-61 - UNIX Symbolic Link (Symlink) Following View on NVD
2024-09-17
Critical

CVE-2024-8767

Sensitive data disclosure and manipulation due to unnecessary privileges assignment. The following products are affected: Acronis Backup plugin for cPanel & WHM (Linux) before build 619, Acronis Back…

CVSS: 9.9 CWE: CWE-250 - Execution with Unnecessary Privileges View on NVD
2023-11-27
Medium

CVE-2023-4931

Uncontrolled search path element vulnerability in Plesk Installer affects version 3.27.0.0. A local attacker could execute arbitrary code by injecting DLL files into the same folder where the applica…

CVSS: 6.3 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
2023-09-22
High

CVE-2023-43784

Plesk Onyx 17.8.11 has accessKeyId and secretAccessKey fields that are related to an Amazon AWS Firehose component. NOTE: the vendor's position is that there is no security threat.

CVSS: 7.5 CWE: CWE-668 - Exposure of Resource to Wrong Sphere View on NVD
2023-09-20
High

CVE-2023-0829

Plesk 17.0 through 18.0.31 version, is vulnerable to a Cross-Site Scripting. A malicious subscription owner (either a customer or an additional user), can fully compromise the server if an administra…

CVSS: 8.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2023-01-22
Medium

CVE-2023-24044

A Host Header Injection issue on the Login page of Plesk Obsidian through 18.0.49 allows attackers to redirect users to malicious websites via a Host request header. NOTE: the vendor's position is "t…

CVSS: 6.1 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
2022-11-10
Medium

CVE-2022-45130

Plesk Obsidian allows a CSRF attack, e.g., via the /api/v2/cli/commands REST API to change an Admin password. NOTE: Obsidian is a specific version of the Plesk product: version numbers were used thro…

CVSS: 6.5 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2022-02-21
High

CVE-2021-45008

Plesk CMS 18.0.37 is affected by an insecure permissions vulnerability that allows privilege Escalation from user to admin rights. OTE: the vendor states that this is only a site-specific problem on…

CVSS: 8.8 CWE: CWE-281 - Improper Preservation of Permissions View on NVD
2022-02-20
Medium

CVE-2021-45007

Plesk 18.0.37 is affected by a Cross Site Request Forgery (CSRF) vulnerability that allows an attacker to insert data on the user and admin panel. NOTE: the vendor states that this is only a site-spe…

CVSS: 6.5 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2021-09-10
Medium

CVE-2021-35976

The feature to preview a website in Plesk Obsidian 18.0.0 through 18.0.32 on Linux is vulnerable to reflected XSS via the /plesk-site-preview/ PATH, aka PFSI-62467. The attacker could execute JavaScr…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-08-03
Medium

CVE-2020-11584

A GET-based XSS reflected vulnerability in Plesk Onyx 17.8.11 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-11583

A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2019-11-13
Medium

CVE-2019-18793

Parallels Plesk Panel 9.5 allows XSS in target/locales/tr-TR/help/index.htm? via the "fileName" parameter.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2018-01-14
Low

CVE-2018-5693

The LinuxMagic MagicSpam extension before 2.0.14-1 for Plesk allows local users to discover mailbox names by reading /var/log/magicspam/mslog.

CVSS: 3.3 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2013-07-18
High

CVE-2013-4878

The default configuration of Parallels Plesk Panel 9.0.x and 9.2.x on UNIX, and Small Business Panel 10.x on UNIX, has an improper ScriptAlias directive for phppath, which makes it easier for remote…

CVSS: 7.5 CWE: CWE-264 View on NVD
2013-04-18
High

CVE-2013-0133

Untrusted search path vulnerability in /usr/local/psa/admin/sbin/wrapper in Parallels Plesk Panel 11.0.9 allows local users to gain privileges via a crafted PATH environment variable.

CVSS: 7.2 CWE: N/A View on NVD
Medium

CVE-2013-0132

The suexec implementation in Parallels Plesk Panel 11.0.9 contains a cgi-wrapper whitelist entry, which allows user-assisted remote attackers to execute arbitrary PHP code via a request containing cr…

CVSS: 6.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2012-03-12
High

CVE-2012-1557

SQL injection vulnerability in admin/plib/api-rpc/Agent.php in Parallels Plesk Panel 7.x and 8.x before 8.6 MU#2, 9.x before 9.5 MU#11, 10.0.x before MU#13, 10.1.x before MU#22, 10.2.x before MU#16,…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2011-12-16
Critical

CVE-2011-4856

The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 sends incorrect Content-Type headers for certain resources, which might allow remote attackers to have an unspecified impact by leve…

CVSS: 9.3 CWE: N/A View on NVD
Critical

CVE-2011-4855

The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 omits the Content-Type header's charset parameter for certain resources, which might allow remote attackers to have an unspecified i…

CVSS: 9.3 CWE: N/A View on NVD
Critical

CVE-2011-4854

The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 does not ensure that Content-Type HTTP headers match the corresponding Content-Type data in HTML META elements, which might allow re…

CVSS: 9.3 CWE: N/A View on NVD
Medium

CVE-2011-4853

The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 includes an RFC 1918 IP address within a web page, which allows remote attackers to obtain potentially sensitive information by read…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2011-4852

The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 generates web pages containing external links in response to GET requests with query strings for enterprise/mobile-monitor/ and cert…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Critical

CVE-2011-4851

The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 generates a password form field without disabling the autocomplete feature, which makes it easier for remote attackers to bypass aut…

CVSS: 9.3 CWE: CWE-255 View on NVD
Medium

CVE-2011-4850

The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 does not include the HTTPOnly flag in a Set-Cookie header for a cookie, which makes it easier for remote attackers to obtain potenti…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2011-4849

The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture this cookie by…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2011-4848

The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 includes a submitted password within an HTTP response body, which allows remote attackers to obtain sensitive information by sniffin…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2011-4847

SQL injection vulnerability in the Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 allows remote attackers to execute arbitrary SQL commands via a certificateslist cookie to notificati…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2011-4777

Cross-site scripting (XSS) vulnerability in the Site Editor (aka SiteBuilder) feature in Parallels Plesk Panel 10.4.4_build20111103.18 allows remote attackers to inject arbitrary web script or HTML v…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2011-4776

Multiple cross-site scripting (XSS) vulnerabilities in the Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 allow remote attackers to inject arbitrary web script or HTML via crafted inp…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Critical

CVE-2011-4768

The Site Editor (aka SiteBuilder) feature in Parallels Plesk Small Business Panel 10.2.0 omits the Content-Type header's charset parameter for certain resources, which might allow remote attackers to…

CVSS: 10.0 CWE: N/A View on NVD
Medium

CVE-2011-4767

The Site Editor (aka SiteBuilder) feature in Parallels Plesk Small Business Panel 10.2.0 has web pages containing e-mail addresses that are not intended for correspondence about the local application…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2011-4766

The Site Editor (aka SiteBuilder) feature in Parallels Plesk Small Business Panel 10.2.0 allows remote attackers to obtain ASP source code via a direct request to wysiwyg/fckconfig.js. NOTE: CVE dis…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2011-4765

The Site Editor (aka SiteBuilder) feature in Parallels Plesk Small Business Panel 10.2.0 does not include the HTTPOnly flag in a Set-Cookie header for a cookie, which makes it easier for remote attac…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2011-4764

Multiple cross-site scripting (XSS) vulnerabilities in the Site Editor (aka SiteBuilder) feature in Parallels Plesk Small Business Panel 10.2.0 allow remote attackers to inject arbitrary web script o…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2011-4763

Multiple SQL injection vulnerabilities in the Site Editor (aka SiteBuilder) feature in Parallels Plesk Small Business Panel 10.2.0 allow remote attackers to execute arbitrary SQL commands via crafted…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Critical

CVE-2011-4762

Parallels Plesk Small Business Panel 10.2.0 sends incorrect Content-Type headers for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an interpretatio…

CVSS: 10.0 CWE: N/A View on NVD
Critical

CVE-2011-4761

Parallels Plesk Small Business Panel 10.2.0 omits the Content-Type header's charset parameter for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an…

CVSS: 10.0 CWE: N/A View on NVD
Medium

CVE-2011-4760

Parallels Plesk Small Business Panel 10.2.0 has web pages containing e-mail addresses that are not intended for correspondence about the local application deployment, which allows remote attackers to…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2011-4759

Parallels Plesk Small Business Panel 10.2.0 generates web pages containing external links in response to GET requests with query strings for client@1/domain@1/hosting/file-manager/ and certain other…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2011-4758

Parallels Plesk Small Business Panel 10.2.0 receives cleartext password input over HTTP, which allows remote attackers to obtain sensitive information by sniffing the network, as demonstrated by form…

CVSS: 5.0 CWE: CWE-310 View on NVD
Critical

CVE-2011-4757

Parallels Plesk Small Business Panel 10.2.0 generates a password form field without disabling the autocomplete feature, which makes it easier for remote attackers to bypass authentication by leveragi…

CVSS: 10.0 CWE: CWE-255 View on NVD
Medium

CVE-2011-4756

Parallels Plesk Small Business Panel 10.2.0 does not include the HTTPOnly flag in a Set-Cookie header for a cookie, which makes it easier for remote attackers to obtain potentially sensitive informat…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Critical

CVE-2011-4755

Parallels Plesk Small Business Panel 10.2.0 does not properly validate string data that is intended for storage in an XML document, which allows remote attackers to cause a denial of service (parsing…

CVSS: 10.0 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2011-4754

Multiple cross-site scripting (XSS) vulnerabilities in Parallels Plesk Small Business Panel 10.2.0 allow remote attackers to inject arbitrary web script or HTML via crafted input to a PHP script, as…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2011-4753

Multiple SQL injection vulnerabilities in Parallels Plesk Small Business Panel 10.2.0 allow remote attackers to execute arbitrary SQL commands via crafted input to a PHP script, as demonstrated by do…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Critical

CVE-2011-4749

The billing system for Parallels Plesk Panel 10.3.1_build1013110726.09 generates a password form field without disabling the autocomplete feature, which makes it easier for remote attackers to bypass…

CVSS: 10.0 CWE: CWE-255 View on NVD
Medium

CVE-2011-4748

The billing system for Parallels Plesk Panel 10.3.1_build1013110726.09 has web pages containing e-mail addresses that are not intended for correspondence about the local application deployment, which…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2011-4747

The billing system for Parallels Plesk Panel 10.3.1_build1013110726.09 does not prevent the use of weak ciphers for SSL sessions, which makes it easier for remote attackers to defeat cryptographic pr…

CVSS: 5.0 CWE: CWE-310 View on NVD
Medium

CVE-2011-4746

The billing system for Parallels Plesk Panel 10.3.1_build1013110726.09 does not disable the SSL 2.0 protocol, which makes it easier for remote attackers to conduct spoofing attacks by leveraging prot…

CVSS: 5.0 CWE: CWE-310 View on NVD
Medium

CVE-2011-4745

Multiple cross-site scripting (XSS) vulnerabilities in the billing system for Parallels Plesk Panel 10.3.1_build1013110726.09 allow remote attackers to inject arbitrary web script or HTML via crafted…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Critical

CVE-2011-4744

The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 sends incorrect Content-Type headers for certain resources, which might allow remote attackers to have an unspecified impact by lev…

CVSS: 10.0 CWE: N/A View on NVD
Critical

CVE-2011-4743

The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 omits the Content-Type header's charset parameter for certain resources, which might allow remote attackers to have an unspecified…

CVSS: 10.0 CWE: N/A View on NVD
Medium

CVE-2011-4742

The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 has web pages containing e-mail addresses that are not intended for correspondence about the local application deployment, which al…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2011-4741

The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 includes a database connection string within a web page, which allows remote attackers to obtain potentially sensitive information…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2011-4740

The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 generates web pages containing external links in response to GET requests with query strings for smb/app/search-data/catalogId/mark…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Critical

CVE-2011-4739

The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 generates a password form field without disabling the autocomplete feature, which makes it easier for remote attackers to bypass au…

CVSS: 10.0 CWE: CWE-255 View on NVD
Medium

CVE-2011-4738

The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 does not include the HTTPOnly flag in a Set-Cookie header for a cookie, which makes it easier for remote attackers to obtain potent…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2011-4737

The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 includes a submitted password within an HTTP response body, which allows remote attackers to obtain sensitive information by sniffi…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2011-4736

The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 receives cleartext password input over HTTP, which allows remote attackers to obtain sensitive information by sniffing the network,…

CVSS: 5.0 CWE: CWE-310 View on NVD
Medium

CVE-2011-4735

Multiple cross-site scripting (XSS) vulnerabilities in the Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 allow remote attackers to inject arbitrary web script or HTML via crafted in…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2011-4734

Multiple SQL injection vulnerabilities in the Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 allow remote attackers to execute arbitrary SQL commands via crafted input to a PHP scrip…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Critical

CVE-2011-4733

The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1011110331.18 sends incorrect Content-Type headers for certain resources, which might allow remote attackers to have an unspecifie…

CVSS: 10.0 CWE: N/A View on NVD
Critical

CVE-2011-4732

The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1011110331.18 omits the Content-Type header's charset parameter for certain resources, which might allow remote attackers to have…

CVSS: 10.0 CWE: N/A View on NVD
Medium

CVE-2011-4731

The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1011110331.18 includes an RFC 1918 IP address within a web page, which allows remote attackers to obtain potentially sensitive inf…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Critical

CVE-2011-4730

The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1011110331.18 generates a password form field without disabling the autocomplete feature, which makes it easier for remote attacke…

CVSS: 10.0 CWE: CWE-255 View on NVD
Medium

CVE-2011-4729

The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1011110331.18 does not include the HTTPOnly flag in a Set-Cookie header for a cookie, which makes it easier for remote attackers t…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2011-4728

The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1011110331.18 does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Critical

CVE-2011-4727

The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1011110331.18 does not properly validate string data that is intended for storage in an XML document, which allows remote attacker…

CVSS: 10.0 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2011-4726

Multiple cross-site scripting (XSS) vulnerabilities in the Server Administration Panel in Parallels Plesk Panel 10.2.0_build1011110331.18 allow remote attackers to inject arbitrary web script or HTML…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2011-4725

Multiple SQL injection vulnerabilities in the Server Administration Panel in Parallels Plesk Panel 10.2.0_build1011110331.18 allow remote attackers to execute arbitrary SQL commands via crafted input…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2009-08-19
Medium

CVE-2008-6984

Plesk 8.6.0, when short mail login names (SHORTNAMES) are enabled, allows remote attackers to bypass authentication and send spam e-mail via a message with (1) a base64-encoded username that begins w…

CVSS: 5.8 CWE: CWE-287 - Improper Authentication View on NVD
2008-08-10
High

CVE-2008-3579

Calacode @Mail 5.41 on Linux does not require administrative authentication for build-plesk-upgrade.php, which allows remote attackers to obtain sensitive information by creating and downloading a ba…

CVSS: 7.8 CWE: CWE-287 - Improper Authentication View on NVD
2007-09-14
High

CVE-2007-4892

Multiple SQL injection vulnerabilities in SWSoft Plesk 7.6.1, 8.1.0, 8.1.1, and 8.2.0 for Windows allow remote attackers to execute arbitrary SQL commands via a PLESKSESSID cookie to (1) login.php3 o…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2007-04-25
Medium

CVE-2007-2268

Multiple directory traversal vulnerabilities in SWsoft Plesk for Windows 7.6.1, 8.1.0, and 8.1.1 allow remote attackers to read arbitrary files via a .. (dot dot) in the locale_id parameter to (1) lo…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2007-2269

Directory traversal vulnerability in top.php3 in SWsoft Plesk for Windows 8.1 and 8.1.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the locale_id parameter.

CVSS: 5.0 CWE: N/A View on NVD
2006-12-10
Medium

CVE-2006-6451

Multiple cross-site scripting (XSS) vulnerabilities in SWsoft Plesk 8.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) get_password.php…

CVSS: 6.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2006-09-27
Medium

CVE-2006-5028

Directory traversal vulnerability in filemanager/filemanager.php in SWsoft Plesk 7.5 Reload and Plesk 7.6 for Microsoft Windows allows remote attackers to list arbitrary directories via a ../ (dot do…

CVSS: 5.0 CWE: N/A View on NVD
2006-07-21
Medium

CVE-2006-3737

Cross-site scripting (XSS) vulnerability in filemanager/filemanager.php in the control panel in SWsoft Plesk 8.0 and earlier allows remote authenticated users to inject arbitrary web script or HTML v…

CVSS: 4.3 CWE: N/A View on NVD
2004-12-31
Medium

CVE-2004-2702

Cross-site scripting (XSS) vulnerability in login_up.php3 in Plesk 7.0 and 7.1 Reloaded allows remote attackers to inject arbitrary web script or HTML via the login_name parameter. NOTE: this might…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2002-03-25
Medium

CVE-2001-1222

Plesk Server Administrator (PSA) 1.0 allows remote attackers to obtain PHP source code via an HTTP request containing the target's IP address and a valid account name for the domain.

CVSS: 5.0 CWE: N/A View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox