CVE-2011-4765

Name of the Vulnerable Software and Affected Versions Parallels Plesk Small Business Panel version 10.2.0

Description The issue concerns the Site Editor feature in Parallels Plesk Small Business Panel, where the HTTPOnly flag is not included in a Set-Cookie header for a cookie. This omission makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. The vulnerability is demonstrated by cookies used by certain files, such as Wizard/Edit/Modules/ImageGallery/MultiImagesUpload.

Recommendations For Parallels Plesk Small Business Panel version 10.2.0, consider configuring the Set-Cookie header to include the HTTPOnly flag to mitigate the risk of exploitation. As a temporary workaround, restrict access to sensitive cookies used by the Site Editor feature until a patch is available.