Webpros has recently released security updates for cPanel & WHM. Join us on the cPanel Community Forums, Discord, or Reddit to talk about this update and much more. If you have additional questions, feel free to reach out on one of our social channels.
CPANEL-47165
Calendar and Contacts Server previous to version 9.3-26 under cPanel & WHM version 110 exposes other accounts’ email addresses.
This exposes email addresses for other users’ accounts. This could lead to impersonation or spam.
Reporter: Federico Scroccarello
Score: 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
TSR-609
Possible XSS with a stored PDF (embedded Javascript) view option in HTML Filemanager.
Reporter: Bhargav Hede
Score: 4.4 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
While this issue was being resolved, other issues were found in the HTML Filemanager and a decision was made to completely remove the file editor at this time while a replacement is researched and implemented. Webpros would still like to thank and credit the reporter for their find as it was a valid vulnerabilty.