CVE-2013-4878

EXPLOITED

Parallels Plesk Panel <9.0.x, 9.2.x - RCE

Title source: llm

Description

The default configuration of Parallels Plesk Panel 9.0.x and 9.2.x on UNIX, and Small Business Panel 10.x on UNIX, has an improper ScriptAlias directive for phppath, which makes it easier for remote attackers to execute arbitrary code via a crafted request, a different vulnerability than CVE-2012-1823.

Exploits (1)

exploitdb WORKING POC VERIFIED

by kingcope · textremotephp

https://www.exploit-db.com/exploits/25986

View Code ZIP pw:eip

References (3)

[Vendor Advisory] http://kb.parallels.com/116241

[Mailing List] http://seclists.org/fulldisclosure/2013/Jun/21

[US Government Resource] http://www.kb.cert.org/vuls/id/673343

Scores

EPSS 0.1394

EPSS Percentile 94.3%

Details

VulnCheck KEV 2013-06-06

CWE

CWE-264

Status published

Products (3)

parallels/parallels_plesk_panel 9.0

parallels/parallels_plesk_panel 9.2

parallels/parallels_small_business_panel 10.0

Published Jul 18, 2013

Tracked Since Feb 18, 2026