kb: technical ABT: Group A
- Plesk Onyx
- PMASA-2019-3 affects phpMyAdmin versions prior to 4.8.6 are affected, however, to exploit it, is needed to create a MySQL database with some special characters (double quote) in the name, therefore, as Plesk database names can contain only alphanumeric, dot, dash, and underscore symbols. Plesk does not allow to create a database with other symbols. So, Plesk is not affected.
- PMASA-2019-4 affects phpMyAdmin versions prior to 4.9.0. And Plesk is affected by it.
- CVE-2019-11768 (PMASA-2019-3). Plesk is not affected due to the name constraints on database creation.
- CVE-2019-12616 (PMASA-2019-4). The vulnerability allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) through the victim.
Call to Action
Update Plesk in order to get the fix for the vulnerabilities described above.
This security vulnerability has been fixed in the following Micro Updates for Plesk:
- 17.8.11 MU#59
- 17.5.3 MU#76
- 17.0.17 MU#72