Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

CVE-2021-45007

#Cross-Site Request Forgery

Affected product and version: Plesk Obsidian 18.0.37

Severity: High

Impact: Submit requests with attacker information

Description: CSRF could let the attacker to submit new requests because there isn’t any CSRF_token protection sent with requests to server.

Steps to reproduce:

  1. Login and try to submit any request
  2. Capture the request with burp suite

image

  1. Will note that there isn’t any token protection sent with request to server
  2. Write simple html exploit to submit request

image

  1. Open it in browser

image

  1. Submit the request

image

  1. Will find that your data are submitted successfully

image