Knowledge Base

Vulnerability CVE-2023-24044

Situation

Vulnerability CVE-2023-24044 in Plesk versions up to and including Obsidian 18.0.49 was reported.

Impact

Plesk Security team considers the vulnerability invalid, so Plesk is not affected.

The ability to use arbitrary domain names to access the panel is a feature of Plesk done by Plesk users request.
Web cache poisoning attack is not possible, because the HTTP response contains:
Cache-Control: no-store, no-cache, must-revalidate
We are not aware of any other attacks that allow an attacker to redirect a victim from the Plesk login page to a malicious website via the HTTP request header "Host".

Call to Action

No actions are required.

Related Posts

Plesk Obsidian 18.0.62 is now available

Plesk Obsidian 18.0.61 Release

HTTP Response Status Codes Explained

Knowledge Base

mod_fcgid: stderr: Connection refused appears repeatedly within the Apache error log for a website on a Plesk server

How to configure varnish cache for a domain in Plesk?

Let’s Encrypt certificate installation fails for a domain in Plesk for Windows Server: The authorization token is not available

Microsoft Windows Server 2008R2, Server 2012, Server 2012R2 and Server 2016 are vulnerable to Juicy Potato exploit

Hosting Wiki