Details of VAR-201112-0212

ID

VAR-201112-0212

CVE

CVE-2011-4749

TITLE

Parallels Plesk Panel Trust Management Vulnerability

Trust: 1.6

sources: IVD: 4f37e624-2354-11e6-abef-000c29c66e3d // IVD: 7d722f73-463f-11e9-b5cb-000c29342cb1 // CNVD: CNVD-2011-5636 // CNNVD: CNNVD-201112-310

DESCRIPTION

The billing system for Parallels Plesk Panel 10.3.1_build1013110726.09 generates a password form field without disabling the autocomplete feature, which makes it easier for remote attackers to bypass authentication by leveraging an unattended workstation, as demonstrated by forms on certain pages under admin/index.php/default

Trust: 2.52

sources: NVD: CVE-2011-4749 // JVNDB: JVNDB-2011-003439 // CNVD: CNVD-2011-5636 // IVD: 4f37e624-2354-11e6-abef-000c29c66e3d // IVD: 7d722f73-463f-11e9-b5cb-000c29342cb1

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 1.0

sources: IVD: 4f37e624-2354-11e6-abef-000c29c66e3d // IVD: 7d722f73-463f-11e9-b5cb-000c29342cb1 // CNVD: CNVD-2011-5636

AFFECTED PRODUCTS

vendor:	parallels	model:	plesk panel	scope:	eq	version:	10.3.1_build1013110726.09	Trust: 1.6
vendor:	parallels	model:	plesk panel	scope:	eq	version:	10.3.1 build1013110726.09	Trust: 0.8
vendor:	parallels	model:	plesk panel 10.3.1 build1013110726.09	scope:	-	version:	-	Trust: 0.6
vendor:	redhat	model:	enterprise linux	scope:	eq	version:	6	Trust: 0.6
vendor:	parallels plesk panel	model:	10.3.1 build1013110726.09	scope:	-	version:	-	Trust: 0.4

sources: IVD: 4f37e624-2354-11e6-abef-000c29c66e3d // IVD: 7d722f73-463f-11e9-b5cb-000c29342cb1 // CNVD: CNVD-2011-5636 // JVNDB: JVNDB-2011-003439 // CNNVD: CNNVD-201112-310 // NVD: CVE-2011-4749

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2011-4749
value:	HIGH
Trust: 1.0
NVD:	CVE-2011-4749
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2011-5636
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201112-310
value:	CRITICAL
Trust: 0.6
IVD:	4f37e624-2354-11e6-abef-000c29c66e3d
value:	CRITICAL
Trust: 0.2
IVD:	7d722f73-463f-11e9-b5cb-000c29342cb1
value:	CRITICAL
Trust: 0.2

nvd@nist.gov:	CVE-2011-4749
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2011-5636
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	4f37e624-2354-11e6-abef-000c29c66e3d
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
IVD:	7d722f73-463f-11e9-b5cb-000c29342cb1
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

PROBLEMTYPE DATA

problemtype:

CWE-255

Trust: 1.8

sources: JVNDB: JVNDB-2011-003439 // NVD: CVE-2011-4749

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201112-310

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201112-310

CONFIGURATIONS

sources: JVNDB: JVNDB-2011-003439

PATCH

title:

Parallels Plesk Panel

url:

http://www.parallels.com/products/plesk/

Trust: 0.8

sources: JVNDB: JVNDB-2011-003439

EXTERNAL IDS

db:	NVD	id:	CVE-2011-4749	Trust: 3.4
db:	CNVD	id:	CNVD-2011-5636	Trust: 1.0
db:	CNNVD	id:	CNNVD-201112-310	Trust: 1.0
db:	JVNDB	id:	JVNDB-2011-003439	Trust: 0.8
db:	IVD	id:	4F37E624-2354-11E6-ABEF-000C29C66E3D	Trust: 0.2
db:	IVD	id:	7D722F73-463F-11E9-B5CB-000C29342CB1	Trust: 0.2

REFERENCES

url:	http://xss.cx/examples/plesk-reports/plesk-parallels-controlpanel-psa.v.10.3.1_build1013110726.09%20os_redhat.el6-billing-system-plugin-javascript-injection-example-poc-report.html	Trust: 1.6
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/72260	Trust: 1.6
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-4749	Trust: 1.4
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-4749	Trust: 0.8

sources: CNVD: CNVD-2011-5636 // JVNDB: JVNDB-2011-003439 // CNNVD: CNNVD-201112-310 // NVD: CVE-2011-4749

SOURCES

db:	IVD	id:	4f37e624-2354-11e6-abef-000c29c66e3d
db:	IVD	id:	7d722f73-463f-11e9-b5cb-000c29342cb1
db:	CNVD	id:	CNVD-2011-5636
db:	JVNDB	id:	JVNDB-2011-003439
db:	CNNVD	id:	CNNVD-201112-310
db:	NVD	id:	CVE-2011-4749

LAST UPDATE DATE

2024-11-23T23:06:27.544000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2011-5636	date:	2011-12-19T00:00:00
db:	JVNDB	id:	JVNDB-2011-003439	date:	2011-12-20T00:00:00
db:	CNNVD	id:	CNNVD-201112-310	date:	2019-04-23T00:00:00
db:	NVD	id:	CVE-2011-4749	date:	2024-11-21T01:32:55.523

SOURCES RELEASE DATE

db:	IVD	id:	4f37e624-2354-11e6-abef-000c29c66e3d	date:	2011-12-19T00:00:00
db:	IVD	id:	7d722f73-463f-11e9-b5cb-000c29342cb1	date:	2011-12-19T00:00:00
db:	CNVD	id:	CNVD-2011-5636	date:	2011-12-19T00:00:00
db:	JVNDB	id:	JVNDB-2011-003439	date:	2011-12-20T00:00:00
db:	CNNVD	id:	CNNVD-201112-310	date:	2011-12-19T00:00:00
db:	NVD	id:	CVE-2011-4749	date:	2011-12-16T11:55:10.847