CVE-2011-4776, CVE-2011-4777, Parallels Plesk Panel v10.4.4_build20111103.18 os_Windows 2003/2008, XSS, Cross Site Scripting, CWE-79, CAPEC-86

CVE Assignments for Parallels Plesk Panel v10.4.4_build20111103.18 os_Windows 2003/2008

Commentary, Discussion and Analysis: Hoyt LLC Research sends thanks to Secunia Vulnerability Research for arriving at the same conclusions; most the XSS Bugs aren't exploitable due to the sML uniquifier negating most of the XSS issues. The interesting comments are the SCAP Tools that don't fingerprint these Bugs!

Parallels implemented an Authentication Mechanism as a Workaround in Version 10.2.0 instead of fixing the unsanitized output. Subsequent research developed a Proof of Concept that delivers XSS which is unpublished until a Patch or further Workaround is available.

CVE-2011-4776 is specific to Parallels CPanel on Port 8443.

CVE-2011-4777 is Specific to SiteBuilder on Port 8447.

Note that SiteBuilder has additional Exploits pending @ CVSS 8-10.