Vulnerability Details : CVE-2021-35976
Potential exploit
The feature to preview a website in Plesk Obsidian 18.0.0 through 18.0.32 on Linux is vulnerable to reflected XSS via the /plesk-site-preview/ PATH, aka PFSI-62467. The attacker could execute JavaScript code in the victim's browser by using the link to preview sites hosted on the server. Authentication is not required to exploit the vulnerability.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2021-35976
- cpe:2.3:a:plesk:obsidian:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-35976
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 43 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-35976
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2021-35976
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-35976
-
https://tarekbouali.com/cves/cve-2021-35976
[CVE-2021-35976] Plesk Obsidian on Linux is vulnerable to reflected XSS via the /plesk-site-preview/ PATH :: Tarek Bouali – Hacker & Application Security ConsultantExploit;Third Party Advisory
-
https://support.plesk.com/hc/en-us/articles/4402990507026
Fix for security-related bug (PFSI-62467) – Plesk Help CenterVendor Advisory
-
https://www.bouali.io/cves/cve-2021-35976
[CVE-2021-35976] Plesk Obsidian on Linux is vulnerable to reflected XSS via the /plesk-site-preview/ PATH :: Tarek BoualiBroken Link
Jump to