Ciaran McNally has reported two vulnerabilities in Parallels Plesk(PP), which can be exploited by malicious people to conduct cross-site scripting attacks and disclose potentially sensitive information (reference: http://makthepla.net/blog/=/plesk-sso-xxe-xss).
Medium severity XML External Entity (XXE) issue affects PP versions 10.4.x and 11.0.x both Linux and Windows with installed Single Sign-On (SSO) service. May be unexploitable depending on installed
libxml2version. Impact is limited because SSO works under own unprivileged user
sso, it means only files available for this user could be read.
- Minor severity Cross-Site Scripting (XSS) issue affects PP versions 10.4.x and 11.0.x both Linux and Windows with installed Single Sign-On (SSO) service.
NOTE: Newer versions(11.5.x and 12.0.x) of Parallels Plesk and other Parallels products are not affected.
Fix for these issues has been released. Patches were provided for both Plesk 10.4.x and 11.0.x. Please install the latest microupdates in order to apply patches.
Plesk 10.4: PPPM-1634 - fixed in MU#48
Plesk 11.0: PPPM-1633 - fixed in MU#62