Cross-Site Scripting (XSS) vulnerability in Plesk

Posted date 17/02/2023
4 - High
Affected Resources

The reported vulnerability affects Plesk versions between version 17.0 and 18.0.31.


INCIBE has coordinated the publication of a vulnerability in Plesk, which has been discovered by Tarek Bouali (@iambouali).

CVE-2023-0829 has been assigned to this vulnerability. A CVSS v3.1 base score of 8,8  has been calculated; the CVSS vector string is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.


This vulnerability is fixed in the latest supported versions of Plesk

For the affected versions, Plesk has released a security patch. More information can be found here.


Plesk 17.0 through 18.0.31 version, is vulnerable to a Cross-Site Scripting. A malicious subscription owner (either a customer or an additional user), can fully compromise the server if an administrator visits a certain page in Plesk related to the malicious subscription.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE assignment and publication.

Encuesta valoración