ID CVE-2011-4749
Summary The billing system for Parallels Plesk Panel 10.3.1_build1013110726.09 generates a password form field without disabling the autocomplete feature, which makes it easier for remote attackers to bypass authentication by leveraging an unattended workstation, as demonstrated by forms on certain pages under admin/index.php/default.
References
Vulnerable Configurations
  • cpe:2.3:a:parallels:parallels_plesk_panel:10.3.1_build1013110726.09:*:*:*:*:*:*:*
    cpe:2.3:a:parallels:parallels_plesk_panel:10.3.1_build1013110726.09:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
CVSS
Base: 10.0 (as of 22-04-2019 - 17:48)
Impact:
Exploitability:
CWE CWE-255
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:N/AC:L/Au:N/C:C/I:C/A:C
refmap via4
misc http://xss.cx/examples/plesk-reports/plesk-parallels-controlpanel-psa.v.10.3.1_build1013110726.09%20os_redhat.el6-billing-system-plugin-javascript-injection-example-poc-report.html
xf plesk-billing-system-sec-bypass(72260)
Last major update 22-04-2019 - 17:48
Published 16-12-2011 - 11:55
Back to Top