Sign-up

ID

VAR-201406-0490


TITLE

Parallels Plesk Panel XML External entity injection vulnerability

Trust: 1.6

sources: IVD: 3fea3924-1ed1-11e6-abef-000c29c66e3d // IVD: 7d7822e2-463f-11e9-944c-000c29342cb1 // CNVD: CNVD-2014-03746 // CNNVD: CNNVD-201406-331

DESCRIPTION

Parallels Plesk Panel is a host control panel solution from Parallels, USA. The solution supports web tools, built-in virtualization, customer experience, and more. An XML external entity injection vulnerability exists in Parallels Plesk Panel. An attacker could use this vulnerability to obtain sensitive information. Vulnerabilities exist in Parallels Plesk Panel 10.4.4 and 11.0.9. Other versions may also be affected. Attackers can exploit these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks

Trust: 1.71

sources: CNVD: CNVD-2014-03746 // CNNVD: CNNVD-201406-331 // BID: 68030 // IVD: 3fea3924-1ed1-11e6-abef-000c29c66e3d // IVD: 7d7822e2-463f-11e9-944c-000c29342cb1

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 1.0

sources: IVD: 3fea3924-1ed1-11e6-abef-000c29c66e3d // IVD: 7d7822e2-463f-11e9-944c-000c29342cb1 // CNVD: CNVD-2014-03746

AFFECTED PRODUCTS

vendor:parallelsmodel:plesk panelscope:eqversion:10.4.4

Trust: 1.0

sources: IVD: 3fea3924-1ed1-11e6-abef-000c29c66e3d // IVD: 7d7822e2-463f-11e9-944c-000c29342cb1 // CNVD: CNVD-2014-03746

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD: CNVD-2014-03746
value: MEDIUM

Trust: 0.6

IVD: 3fea3924-1ed1-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

IVD: 7d7822e2-463f-11e9-944c-000c29342cb1
value: MEDIUM

Trust: 0.2

CNVD: CNVD-2014-03746
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 3fea3924-1ed1-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

IVD: 7d7822e2-463f-11e9-944c-000c29342cb1
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

sources: IVD: 3fea3924-1ed1-11e6-abef-000c29c66e3d // IVD: 7d7822e2-463f-11e9-944c-000c29342cb1 // CNVD: CNVD-2014-03746

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201406-331

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-201406-331

EXTERNAL IDS

db:BIDid:68030

Trust: 1.5

db:CNVDid:CNVD-2014-03746

Trust: 1.0

db:CNNVDid:CNNVD-201406-331

Trust: 0.6

db:IVDid:3FEA3924-1ED1-11E6-ABEF-000C29C66E3D

Trust: 0.2

db:IVDid:7D7822E2-463F-11E9-944C-000C29342CB1

Trust: 0.2

sources: IVD: 3fea3924-1ed1-11e6-abef-000c29c66e3d // IVD: 7d7822e2-463f-11e9-944c-000c29342cb1 // CNVD: CNVD-2014-03746 // BID: 68030 // CNNVD: CNNVD-201406-331

REFERENCES

url:http://www.securityfocus.com/bid/68030

Trust: 1.2

url:http://makthepla.net/blog/=/plesk

Trust: 0.6

url:http://www.parallels.com/products/plesk/

Trust: 0.3

sources: CNVD: CNVD-2014-03746 // BID: 68030 // CNNVD: CNNVD-201406-331

CREDITS

z00

Trust: 0.6

sources: CNNVD: CNNVD-201406-331

SOURCES

db:IVDid:3fea3924-1ed1-11e6-abef-000c29c66e3d
db:IVDid:7d7822e2-463f-11e9-944c-000c29342cb1
db:CNVDid:CNVD-2014-03746
db:BIDid:68030
db:CNNVDid:CNNVD-201406-331

LAST UPDATE DATE

2022-05-17T02:03:21.368000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2014-03746date:2014-07-09T00:00:00
db:BIDid:68030date:2014-06-20T00:04:00
db:CNNVDid:CNNVD-201406-331date:2014-06-17T00:00:00

SOURCES RELEASE DATE

db:IVDid:3fea3924-1ed1-11e6-abef-000c29c66e3ddate:2014-06-19T00:00:00
db:IVDid:7d7822e2-463f-11e9-944c-000c29342cb1date:2014-06-19T00:00:00
db:CNVDid:CNVD-2014-03746date:2014-06-19T00:00:00
db:BIDid:68030date:2014-06-13T00:00:00
db:CNNVDid:CNNVD-201406-331date:2014-06-17T00:00:00