- Plesk for Linux
- Plesk for Windows
We have fixed a vulnerability with internal ID #PFSI-61276 that can be used by an unprivileged user to gain administrator privileges.
A subscription owner can read arbitrary files on behalf of the psaadm system user. Consequently, in Plesk for Linux, a subscription owner can log in to Plesk as admin, and run arbitrary code on behalf of the root system user.
Plesk versions 17.0 to 17.9 (both for Linux and Windows) are affected.
Call to Action
To make sure that all updates are installed automatically (including security ones), go to Tools & Settings > Update and Upgrade Settings and select the Automatically install Plesk updates (Recommended) checkbox.
We have developed updates for Plesk versions which are now reached end-of life (Plesk versions 12.x) as well. But even a better solution for protecting your server from the PFSI-61276 vulnerability and from future security threats is to upgrade Plesk to the latest version. The latest stable Plesk version is the first one to receive security updates.
Note: In order to confirm that the currently installed Plesk version is no longer affected, find the update version and verify that it is not lower than following:
- Plesk Onyx 17.0.17 Update #68
- Plesk Onyx 17.5.3 Update #65
- Plesk Onyx 17.8.11 Update #49
- Plesk Onyx 17.9.13 (no updates so far, since it is testing version. Note the last digit here)
Warning: If your server uses an end-of-life OS, migrate to a newer one. Otherwise, the server will be exposed to PFSI-61276 and future vulnerabilities.