- Plesk for Linux
Malicious Mailman list administrator can perform stored XSS attack on other Mailman users: administrators and moderators of the mailing lists. If victim logs into Mailman and visits an attacker's Mailman list info page, then the attacker can steal the victim's session and perform any actions in Mailman on behalf of the victim.
Vulnerability affects only Mailman package itself: Plesk UI, websites hosted on Plesk, any Plesk functionality and services will not be affected.
Since Plesk uses Mailman installed from OS repositories and does not pack or change it, mitigation should be done on an OS-level side. If Mailman package prior to 2.1.27 is used, it is required to install a patch from OS vendor's system repositories, if exists. If OS vendor did not issue a patch yet, we recommend not visiting any suspicious third-party links while being logged in to the Mailman and always log out from Mailman interface when stop using it.