Newsroom

cPanel Unscheduled TSR-2020-0006 Full Disclosure

CPANEL-34212

Summary

Live Transfer causes email accounts to not require a password on the source server.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 5.6 – CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Description

Previously, when Exim asked for authentication data, cpdoveauthd would send Exim the response for proxying without a password.
Since Exim ignores “proxy_maybe”, that caused Exim to forgo SMTP authentication in those cases.

Solution

This issue is resolved in the following build:
11.90.0.13

For the PGP-signed message, please see TSR-2020-0006.full.disclosure.signed