Home

Description

In Plesk Obsidian 18.0.69, unauthenticated requests to /login_up.php can reveal an AWS accessKeyId, secretAccessKey, region, and endpoint.

PUBLISHED Reserved 2025-06-07 | Published 2025-07-03 | Updated 2025-07-03 | Assigner mitre




MEDIUM: 5.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Problem types

CWE-402 Transmission of Private Resources into a New Sphere ('Resource Leak')

Product status

Default status
unknown

18.0.69 (custom)
affected

References

www.plesk.com/...nouncements/plesk-obsidian-18-0-69-is-here/

www.linkedin.com/...sidian-activity-7341794923198709761-by9G

cve.org (CVE-2025-49618)

nvd.nist.gov (CVE-2025-49618)