Tjetnipat

**Name of the Vulnerable Software and Affected Versions** Plesk Obsidian versions through 18.0.49 **Description** A Host Header Injection issue on the Login page allows attackers to redirect users to malicious websites via a Host request header. The issue is related to the ability to use arbitrary domain names to access the panel, which the vendor considers an intended feature. This can be exploited by sending a specially crafted `Host` HTTP request header, potentially allowing a remote attacker to redirect users to arbitrary websites. **Recommendations** For Plesk Obsidian versions through 18.0.49, consider restricting access to the Login page or disabling the ability to use arbitrary domain names to access the panel as a temporary workaround until a fix is available. Avoid using the `Host` request header in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.