Vulnerability Description
The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session, as demonstrated by cookies used by help.php and certain other files.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Parallels | Parallels Plesk Panel | 10.4.4_build20111103.18 |
| Microsoft | Windows 2003 Server | All versions |
| Microsoft | Windows Server 2008 | - |
Related Weaknesses (CWE)
References
- http://xss.cx/kb/parallels/xss-parallelspleskpanel.v10.4.4_build20111103.18-os_w
- https://exchange.xforce.ibmcloud.com/vulnerabilities/72224
- http://xss.cx/kb/parallels/xss-parallelspleskpanel.v10.4.4_build20111103.18-os_w
- https://exchange.xforce.ibmcloud.com/vulnerabilities/72224
FAQ
What is CVE-2011-4849?
CVE-2011-4849 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture this cookie by i...
How severe is CVE-2011-4849?
CVE-2011-4849 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2011-4849?
Check the references section above for vendor advisories and patch information. Affected products include: Parallels Parallels Plesk Panel, Microsoft Windows 2003 Server, Microsoft Windows Server 2008.