Cyber Resilience

CVE-2023-24044

MediumPublic PoC

Published: 22 January 2023

Published
22 January 2023
Modified
02 April 2025
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.5915 98.3th percentile
Risk Priority 48 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-24044 is a medium-severity Open Redirect (CWE-601) vulnerability in Plesk Obsidian. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-24044 is a host header injection vulnerability affecting the login page of Plesk Obsidian versions through 18.0.49. The flaw permits an attacker to supply an arbitrary value in the Host request header, which the application reflects without validation and thereby enables an open redirect. The issue is tracked under CWE-601 and carries a CVSS 3.1 base score of 6.1.

An unauthenticated remote attacker can exploit the weakness by crafting a request to the login endpoint that contains a malicious Host header. When a victim follows the resulting URL, the browser is redirected to an attacker-controlled site, allowing phishing or further client-side attacks. User interaction is required, but no privileges are needed on the Plesk instance.

Plesk has stated that the ability to reach the panel via arbitrary domain names is an intended feature and has not issued a corrective patch. Public references, including a Plesk support article and technical write-ups, document the behavior but do not describe additional mitigations. The associated EPSS score has remained near 0.59 since disclosure, indicating sustained but not sharply increasing exploitation interest.

EU & UK References

Vulnerability details

A Host Header Injection issue on the Login page of Plesk Obsidian through 18.0.49 allows attackers to redirect users to malicious websites via a Host request header. NOTE: the vendor's position is "the ability to use arbitrary domain names to…

more

access the panel is an intended feature."

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

plesk
obsidian
≤ 18.0.49

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-601

Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites.

addresses: CWE-601

Validates redirect targets and URLs to ensure they conform to allowed destinations.

References