← Back

Obsidian

obsidian

Vendor: Plesk • 4 CVEs

CVEs (4)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2023-24044
1Plesk
1Obsidian
Apr 2, 2025
Jan 22, 2023
N/A· v4
6.1 MEDIUM· v3
N/A· v2
A Host Header Injection issue on the Login page of Plesk Obsidian through 18.0.49 allows attackers to redirect users to malicious websites via a Host request header. NOTE: the vendor's position is "the ability to use arb...Show more
A Host Header Injection issue on the Login page of Plesk Obsidian through 18.0.49 allows attackers to redirect users to malicious websites via a Host request header. NOTE: the vendor's position is "the ability to use arbitrary domain names to access the panel is an intended feature."Show less
CVE-2022-45130
1Plesk
1Obsidian
May 1, 2025
Nov 10, 2022
N/A· v4
6.5 MEDIUM· v3
N/A· v2
Plesk Obsidian allows a CSRF attack, e.g., via the /api/v2/cli/commands REST API to change an Admin password. NOTE: Obsidian is a specific version of the Plesk product: version numbers were used through version 12, and t...Show more
Plesk Obsidian allows a CSRF attack, e.g., via the /api/v2/cli/commands REST API to change an Admin password. NOTE: Obsidian is a specific version of the Plesk product: version numbers were used through version 12, and then the convention was changed so that versions are identified by names ("Obsidian"), not numbers.Show less
CVE-2021-35976
1Plesk
1Obsidian
Nov 21, 2024
Sep 10, 2021
N/A· v4
6.1 MEDIUM· v3
4.3 MEDIUM· v2
The feature to preview a website in Plesk Obsidian 18.0.0 through 18.0.32 on Linux is vulnerable to reflected XSS via the /plesk-site-preview/ PATH, aka PFSI-62467. The attacker could execute JavaScript code in the victi...Show more
The feature to preview a website in Plesk Obsidian 18.0.0 through 18.0.32 on Linux is vulnerable to reflected XSS via the /plesk-site-preview/ PATH, aka PFSI-62467. The attacker could execute JavaScript code in the victim's browser by using the link to preview sites hosted on the server. Authentication is not required to exploit the vulnerability.Show less
CVE-2020-11583
1Plesk
1Obsidian
Nov 21, 2024
Aug 3, 2020
N/A· v4
6.1 MEDIUM· v3
4.3 MEDIUM· v2
A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.