CVE-2025-66431

EPSS 0.07%
Veröffentlicht 03.12.2025 00:00:00
Zuletzt bearbeitet 04.12.2025 17:15:08
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

WebPros Plesk before 18.0.73.5 and 18.0.74 before 18.0.74.2 on Linux allows remote authenticated users to execute arbitrary code as root via domain creation. The attacker needs "Create and manage sites" with "Domains management" and "Subdomains management."

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerPlesk

≫

Produkt Plesk

Default Statusunaffected

Version < 18.0.73.5

Version 0

Status affected

Version < 18.0.74.2

Version 18.0.74

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.219

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cve@mitre.org	7.8	1.1	6	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-61 UNIX Symbolic Link (Symlink) Following

The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

https://docs.plesk.com/release-notes/obsidian/whats-new/

https://docs.plesk.com/release-notes/obsidian/change-log/#plesk-18074

https://support.plesk.com/hc/en-us/articles/36494997377687--CVE-2025-66431-Security-vulnerability-in-domain-creation-mechanism-allows-Plesk-users-to-execute-arbitrary-code-on-behalf-of-root

https://nvd.nist.gov/vuln/detail/CVE-2025-66431

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-66431

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-66431

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-66431