Yesterday cPanel released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. Below is the full disclosure of the changes included in that update.
Information on cPanel’s security ratings is available at https://go.cpanel.net/securitylevels.
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.
SEC-528
Summary
Self-XSS Vulnerability in the WHM Update Preferences
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
Error messages in the WHM Update Preferences interface were interpreted as Angular markup. These messages included input data provided by the user.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.82.0.15
11.78.0.39
SEC-517
Summary
cPanel API token credentials remain after account rename or termination.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 8.0 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Description
When a cPanel user’s account was renamed or terminated, the API tokens belonging to the account were left installed on the system under the old name. Any new accounts created with the same name would allow access to the previous account’s API tokens.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.82.0.15
SEC-526
Summary
Self-XSS Vulnerability in cPanel SSL Key Delete
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
When deleting an SSL key, the user is prompted to remove associated SSL certificates. The certificate name was not adequately encoded in this prompt.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.82.0.15
11.78.0.39
SEC-527
Summary
Self-Stored XSS Vulnerability in WHM SSL Storage Manager
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
The WHM SSL Storage Manager interface allows resellers to manage their own SSL certificates and keys. The friendly_name field of displayed SSL keys was not adequately encoded in this interface.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.82.0.15
11.78.0.39
SEC-524
Summary
XSS Vulnerabilities in cPanel LiveAPI example scripts.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
The cPanel LiveAPI example scripts output multiple sets of data from the environment and cPanel runtime. This output was not adequately encoded.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.82.0.15
11.78.0.39
SEC-521
Summary
Self-XSS Vulnerability in cPanel SSL Certificate Upload
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
When uploading an SSL certificates using the cPanel SSL Certificate Upload interface, the common name was not adequately encoded in the success message.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.82.0.15
11.78.0.39
SEC-503
Summary
Demo account code execution via Chrome::get_dom UAPI function.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Description
The get_dom function in the Chrome UAPI module did not validate inputs properly. This could be misused by demo logins to execute arbitrary code embedded in Template Toolkit files.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.78.0.39
For the PGP-signed message, please see: TSR-2019-0005.disclosure.signed.txt.