Parallels Plesk SSO XML External Entity and Cross-site scripting
Description
Parallels Plesk Panel is a commercial web hosting control panel that includes Single Sign-On (SSO) functionality for simplified application access and password management. A vulnerability in the Plesk SSO implementation allows attackers to exploit XML External Entity (XXE) injection and Cross-Site Scripting (XSS) flaws. The XXE vulnerability occurs when the application processes untrusted XML input without proper validation, allowing attackers to reference external entities. This vulnerability affects the SSO authentication mechanism and can be exploited remotely without authentication.
Remediation
Immediately disable the vulnerable SSO feature in Parallels Plesk Panel until a patched version can be installed. To disable SSO, execute the following command on the server:
~# /usr/local/psa/bin/sso --disable
After disabling SSO, verify the change by checking the SSO status:
~# /usr/local/psa/bin/sso --status
Contact Parallels support to obtain and install the latest security updates for Plesk Panel that address these vulnerabilities. Once updated to a patched version, SSO can be safely re-enabled if needed. Additionally, review server logs for any suspicious XML processing activity or unauthorized file access attempts that may indicate prior exploitation. Implement network-level restrictions to limit access to the Plesk control panel to trusted IP addresses only.