Plesk

Vulnerability CVE-2023-24044

  • Dmitry Bystrov

    • Situation

    Vulnerability CVE-2023-24044 in Plesk versions up to and including Obsidian 18.0.49 was reported.

    Impact

    Plesk Security team considers the vulnerability invalid, so Plesk is not affected.

    1. The ability to use arbitrary domain names to access the panel is a feature of Plesk done by Plesk users request.
    2. Web cache poisoning attack is not possible, because the HTTP response contains:

      Cache-Control: no-store, no-cache, must-revalidate

    3. We are not aware of any other attacks that allow an attacker to redirect a victim from the Plesk login page to a malicious website via the HTTP request header "Host".

    Call to Action

    No actions are required.

    Tweet
    Share
    Share
    Email
    0 Shares
    Exit mobile version