CVE-2023-4931

MEDIUM

Plesk - Uncontrolled Search Path

Title source: rule

Description

Uncontrolled search path element vulnerability in Plesk Installer affects version 3.27.0.0. A local attacker could execute arbitrary code by injecting DLL files into the same folder where the application is installed, resulting in DLL hijacking in edputil.dll, samlib.dll, urlmon.dll, sspicli.dll, propsys.dll and profapi.dll files.

References (2)

[Vendor Advisory] https://support.plesk.com/hc/en-us/articles/17426121182103

[Third Party Advisory] https://www.incibe.es/en/incibe-cert/notices/aviso/uncontrolled-search-path-element-vulnerability-plesk

Scores

CVSS v3 6.3

EPSS 0.0004

EPSS Percentile 13.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L

Classification

CWE

CWE-427

Status published

Affected Products (1)

plesk/plesk

Timeline

Published Nov 27, 2023

Tracked Since Feb 18, 2026