CVE-2021-35976

Published: Sep 10, 2021Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

The feature to preview a website in Plesk Obsidian 18.0.0 through 18.0.32 on Linux is vulnerable to reflected XSS via the /plesk-site-preview/ PATH, aka PFSI-62467. The attacker could execute JavaScript code in the victim's browser by using the link to preview sites hosted on the server. Authentication is not required to exploit the vulnerability.

Affected (1)

Products: Plesk: Obsidian

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Plesk Obsidian	From 18.0.0 to 18.0.32

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (6)

https://support.plesk.com/hc/en-us/articles/4402990507026

Source: cve@mitre.org

Vendor Advisory

https://tarekbouali.com/cves/cve-2021-35976

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.bouali.io/cves/cve-2021-35976

Source: cve@mitre.org

Broken Link

https://support.plesk.com/hc/en-us/articles/4402990507026

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://tarekbouali.com/cves/cve-2021-35976

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.bouali.io/cves/cve-2021-35976

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

Timeline

No history available yet.