Cross-Site Scripting (XSS) vulnerability in Plesk
The reported vulnerability affects Plesk versions between version 17.0 and 18.0.31.
INCIBE has coordinated the publication of a vulnerability in Plesk, which has been discovered by Tarek Bouali (@iambouali).
CVE-2023-0829 has been assigned to this vulnerability. A CVSS v3.1 base score of 8,8 has been calculated; the CVSS vector string is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
This vulnerability is fixed in the latest supported versions of Plesk
For the affected versions, Plesk has released a security patch. More information can be found here.
Plesk 17.0 through 18.0.31 version, is vulnerable to a Cross-Site Scripting. A malicious subscription owner (either a customer or an additional user), can fully compromise the server if an administrator visits a certain page in Plesk related to the malicious subscription.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE assignment and publication.