CVE-2023-24044: 
NixOS vulnerability analysis and mitigation

A Host Header Injection vulnerability (CVE-2023-24044) was identified in the Login page of Plesk Obsidian through version 18.0.49. This vulnerability is disputed by the vendor, who states that 'the ability to use arbitrary domain names to access the panel is an intended feature.' The vulnerability was initially reported in January 2023 (CVE List).

The vulnerability allows attackers to manipulate the HTTP Host request header on the login page. When accessing the target website without a URL path and intercepting the login.php request, an attacker can modify the 'Host' HTTP request header value to point to a malicious website. This results in the target website redirecting to the attacker's domain instead of the legitimate login page (GitHub POC).

If successfully exploited, this vulnerability could allow attackers to redirect users from the legitimate login page to malicious websites, potentially leading to phishing attacks and credential theft (Medium Post).

The vendor has disputed this vulnerability, stating that the ability to use arbitrary domain names to access the panel is an intended feature of the product (CVE List). No specific mitigation steps have been provided as this is considered intended functionality.

Security researchers and community members have discussed this vulnerability, with some questioning its validity. For example, some experts have noted that the vulnerability would require man-in-the-middle capabilities to exploit, which would already give attackers significant access (GitHub POC).