Newsroom

cPanel Cross Site Scripting Vulnerability

Summary
A cross site scripting vulnerability has been discovered in our 11.24.x versions of cPanel that has been addressed and fixed in our 11.25.x series of the product.

Security Rating
This update has been rated as having a trivial security impact by the cPanel Security team.

Description
The dofileop.html page in x3 for cPanel has been found to be vulnerable to a Cross Site Scripting vulnerablitly at the following URL:

http://site.com:2082/frontend/x3/files/dofileop.html?fileop=&opdir=&opfile=dir=%2fhome%2fuser%2ftmp&fileop=XSS%20Vulnerable

The fileop variable in the dofileop.html was not being fully santized or validated correctly and invalid data could be injected into the URL.

Solution
cPanel users should upgrade to our 11.25.0+ series of WHM/cPanel which contain a fix for this issue.

References
http://www.exploit-db.com/exploits/10519