Vulnerability CVE-2023-24044 in Plesk versions up to and including Obsidian 18.0.49 was reported.
Plesk Security team considers the vulnerability invalid, so Plesk is not affected.
- The ability to use arbitrary domain names to access the panel is a feature of Plesk done by Plesk users request.
- Web cache poisoning attack is not possible, because the HTTP response contains:
Cache-Control: no-store, no-cache, must-revalidate
- We are not aware of any other attacks that allow an attacker to redirect a victim from the Plesk login page to a malicious website via the HTTP request header "Host".
Call to Action
No actions are required.