Vulnerability Details CVE-2011-4749
The billing system for Parallels Plesk Panel 10.3.1_build1013110726.09 generates a password form field without disabling the autocomplete feature, which makes it easier for remote attackers to bypass authentication by leveraging an unattended workstation, as demonstrated by forms on certain pages under admin/index.php/default.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.011
EPSS Ranking 76.7%
CVSS Severity
CVSS v2 Score 10.0
References
- http://xss.cx/examples/plesk-reports/plesk-parallels-controlpanel-psa.v.10.3.1_build1013110726.09%20os_redhat.el6-billing-system-plugin-javascript-injection-example-poc-report.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/72260
- http://xss.cx/examples/plesk-reports/plesk-parallels-controlpanel-psa.v.10.3.1_build1013110726.09%20os_redhat.el6-billing-system-plugin-javascript-injection-example-poc-report.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/72260
Products affected by CVE-2011-4749
-
cpe:2.3:a:parallels:parallels_plesk_panel:10.3.1_build1013110726.09
-
cpe:2.3:o:redhat:enterprise_linux:6.0