Remote Code Execution in Parallels Plesk Panel Affected by Lack of HTTPOnly Flag
CVE-2011-4738

Currently unrated

Key Information:

Vendor: Parallels
Status: Parallels Plesk Panel
Vendor: CVE Published:; 16 December 2011

What is CVE-2011-4738?

The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 is susceptible to a vulnerability that omits the HTTPOnly flag in the Set-Cookie header. This flaw allows remote attackers to potentially access sensitive information through script-based attacks on the cookie, particularly via files such as get_password.php. Without the protection provided by the HTTPOnly attribute, user sessions and other critical cookie data can be exploited, leading to unauthorized access to user accounts and system resources.

References

http://xss.cx/examples/plesk-reports/xss-reflected-cross-...

x_refsource_MISC

https://exchange.xforce.ibmcloud.com/vulnerabilities/72321

vdb-entryx_refsource_XF

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 16, 2011
Vulnerability Reserved
Dec 11, 2011