- Plesk for Linux
- Plesk for Windows
We have fixed a vulnerability with internal ID #PFSI-61276 that can be used by an unprivileged user to gain administrator privileges.
A subscription owner can read arbitrary files on behalf of the psaadm system user. Consequently, in Plesk for Linux, a subscription owner can log in to Plesk as admin, and run arbitrary code on behalf of the root system user.
Plesk versions 12.0 - 17.9 (both for Linux and Windows) are affected.
Call to Action
To make sure that all updates are installed automatically (including security ones), go to Tools & Settings > Update and Upgrade Settings and select the Automatically install Plesk updates (Recommended) checkbox.
We have developed updates for Plesk versions which are now reached end-of life (Plesk versions 12.x) as well. But even a better solution for protecting your server from the PFSI-61276 vulnerability and from future security threats is to upgrade Plesk to the latest version. The latest stable Plesk version is the first one to receive security updates.
Note: In order to confirm that the currently installed Plesk version is no longer affected, find the update version and verify that it is not lower than following:
- Plesk 12.0.18 Update #104
- Plesk 12.5.30 Update #79
- Plesk Onyx 17.0.17 Update #68
- Plesk Onyx 17.5.3 Update #65
- Plesk Onyx 17.8.11 Update #49
- Plesk Onyx 17.9.13 (no updates so far, since it is testing version. Note the last digit here)
Warning: If your server uses an end-of-life OS, migrate to a newer one. Otherwise your server will be exposed to PFSI-61276 and future vulnerabilities.