Vulnerability Description
The feature to preview a website in Plesk Obsidian 18.0.0 through 18.0.32 on Linux is vulnerable to reflected XSS via the /plesk-site-preview/ PATH, aka PFSI-62467. The attacker could execute JavaScript code in the victim's browser by using the link to preview sites hosted on the server. Authentication is not required to exploit the vulnerability.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Plesk | Obsidian | >= 18.0.0, <= 18.0.32 |
Related Weaknesses (CWE)
References
- https://support.plesk.com/hc/en-us/articles/4402990507026Vendor Advisory
- https://tarekbouali.com/cves/cve-2021-35976ExploitThird Party Advisory
- https://www.bouali.io/cves/cve-2021-35976Broken Link
- https://support.plesk.com/hc/en-us/articles/4402990507026Vendor Advisory
- https://tarekbouali.com/cves/cve-2021-35976ExploitThird Party Advisory
- https://www.bouali.io/cves/cve-2021-35976Broken Link
FAQ
What is CVE-2021-35976?
CVE-2021-35976 is a vulnerability with a CVSS score of 6.1 (MEDIUM). The feature to preview a website in Plesk Obsidian 18.0.0 through 18.0.32 on Linux is vulnerable to reflected XSS via the /plesk-site-preview/ PATH, aka PFSI-62467. The attacker could execute JavaScri...
How severe is CVE-2021-35976?
CVE-2021-35976 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-35976?
Check the references section above for vendor advisories and patch information. Affected products include: Plesk Obsidian.