- Plesk Onyx for Linux
- PMASA-2019-1 affects phpMyAdmin versions from at least 4.0 through 4.8.4, however does not affect Default Plesk configuration due to disabled setting AllowArbitraryServer.
- PMASA-2019-2 affects phpMyAdmin versions from 4.5.0 through 4.8.4. SQL injection attack is possible through the designer feature using specially crafted username.
By default, Plesk server is not affected:
- CVE-2019-6799 (PMASA-2019-1). Default Plesk configuration does not have AllowArbitraryServer setting enabled.
- CVE-2019-6798 (PMASA-2019-2). Plesk does not allow to create database users with special symbols in its name. Only DB Server Admin can create database users directly via MySQL. Also, injection is possible into phpMyAdmin database only.
Call to Action
- In case AllowArbitraryServer setting was enabled manually, disable it to avoid CVE-2019-6799.
- For CVE-2019-6798, no actions are required in case all users were created via Plesk and no one was creating the users manually on the server.