CVE-2011-4749 - The billing system for Parallels Plesk Panel 10.3.1_build1013110726.09 generates a password form fie

CVE-2011-4749

Summary

The billing system for Parallels Plesk Panel 10.3.1_build1013110726.09 generates a password form field without disabling the autocomplete feature, which makes it easier for remote attackers to bypass authentication by leveraging an unattended workstation, as demonstrated by forms on certain pages under admin/index.php/default.

References

Vulnerable Configurations

cpe:2.3:a:parallels:parallels_plesk_panel:10.3.1_build1013110726.09:*:*:*:*:*:*:*
cpe:2.3:a:parallels:parallels_plesk_panel:10.3.1_build1013110726.09:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*

CVSS

Base:	10.0 (as of 22-04-2019 - 17:48)
Impact:
Exploitability:

CWE

CWE-255

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:N/AC:L/Au:N/C:C/I:C/A:C

refmap via4

misc	http://xss.cx/examples/plesk-reports/plesk-parallels-controlpanel-psa.v.10.3.1_build1013110726.09%20os_redhat.el6-billing-system-plugin-javascript-injection-example-poc-report.html
xf	plesk-billing-system-sec-bypass(72260)

Last major update

22-04-2019 - 17:48

Published

16-12-2011 - 11:55

Last modified

22-04-2019 - 17:48