Filtered by vendor Plesk
Subscriptions
Filtered by product Obsidian
Subscriptions
Total
6 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-54336 | 1 Plesk | 1 Obsidian | 2025-08-21 | 9.8 Critical |
| In Plesk Obsidian 18.0.70, _isAdminPasswordValid uses an == comparison. Thus, if the correct password is "0e" followed by any digit string, then an attacker can login with any other string that evaluates to 0.0 (such as the 0e0 string). This occurs in admin/plib/LoginManager.php. | ||||
| CVE-2025-49618 | 1 Plesk | 1 Obsidian | 2025-07-06 | 5.8 Medium |
| In Plesk Obsidian 18.0.69, unauthenticated requests to /login_up.php can reveal an AWS accessKeyId, secretAccessKey, region, and endpoint. | ||||
| CVE-2022-45130 | 1 Plesk | 1 Obsidian | 2025-05-01 | 6.5 Medium |
| Plesk Obsidian allows a CSRF attack, e.g., via the /api/v2/cli/commands REST API to change an Admin password. NOTE: Obsidian is a specific version of the Plesk product: version numbers were used through version 12, and then the convention was changed so that versions are identified by names ("Obsidian"), not numbers. | ||||
| CVE-2023-24044 | 1 Plesk | 1 Obsidian | 2025-04-02 | 6.1 Medium |
| A Host Header Injection issue on the Login page of Plesk Obsidian through 18.0.49 allows attackers to redirect users to malicious websites via a Host request header. NOTE: the vendor's position is "the ability to use arbitrary domain names to access the panel is an intended feature." | ||||
| CVE-2021-35976 | 1 Plesk | 1 Obsidian | 2024-11-21 | 6.1 Medium |
| The feature to preview a website in Plesk Obsidian 18.0.0 through 18.0.32 on Linux is vulnerable to reflected XSS via the /plesk-site-preview/ PATH, aka PFSI-62467. The attacker could execute JavaScript code in the victim's browser by using the link to preview sites hosted on the server. Authentication is not required to exploit the vulnerability. | ||||
| CVE-2020-11583 | 2 Microsoft, Plesk | 2 Windows, Obsidian | 2024-11-21 | 6.1 Medium |
| A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter. | ||||
Page 1 of 1.