CVE-2021-35976 Information

Description

The feature to preview a website in Plesk Obsidian 18.0.0 through 18.0.32 on Linux is vulnerable to reflected XSS via the /plesk-site-preview/ PATH aka PFSI-62467. The attacker could execute JavaScript code in the victim’s browser by using the link to preview sites hosted on the server. Authentication is not required to exploit the vulnerability.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

https://support.plesk.com/hc/en-us/articles/4402990507026 https://tarekbouali.com/cves/cve-2021-35976 https://www.bouali.io/cves/cve-2021-35976

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1