Newsroom

cPanel TSR-2019-0005 Full Disclosure

Yesterday cPanel released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. Below is the full disclosure of the changes included in that update.

Information on cPanel’s security ratings is available at https://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.

SEC-528

Summary

Self-XSS Vulnerability in the WHM Update Preferences

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

Error messages in the WHM Update Preferences interface were interpreted as Angular markup. These messages included input data provided by the user.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.82.0.15
11.78.0.39

SEC-517

Summary

cPanel API token credentials remain after account rename or termination.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 8.0 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Description

When a cPanel user’s account was renamed or terminated, the API tokens belonging to the account were left installed on the system under the old name. Any new accounts created with the same name would allow access to the previous account’s API tokens.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.82.0.15

SEC-526

Summary

Self-XSS Vulnerability in cPanel SSL Key Delete

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

When deleting an SSL key, the user is prompted to remove associated SSL certificates. The certificate name was not adequately encoded in this prompt.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.82.0.15
11.78.0.39

SEC-527

Summary

Self-Stored XSS Vulnerability in WHM SSL Storage Manager

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

The WHM SSL Storage Manager interface allows resellers to manage their own SSL certificates and keys. The friendly_name field of displayed SSL keys was not adequately encoded in this interface.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.82.0.15
11.78.0.39

SEC-524

Summary

XSS Vulnerabilities in cPanel LiveAPI example scripts.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

The cPanel LiveAPI example scripts output multiple sets of data from the environment and cPanel runtime. This output was not adequately encoded.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.82.0.15
11.78.0.39

SEC-521

Summary

Self-XSS Vulnerability in cPanel SSL Certificate Upload

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

When uploading an SSL certificates using the cPanel SSL Certificate Upload interface, the common name was not adequately encoded in the success message.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.82.0.15
11.78.0.39

SEC-503

Summary

Demo account code execution via Chrome::get_dom UAPI function.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Description

The get_dom function in the Chrome UAPI module did not validate inputs properly. This could be misused by demo logins to execute arbitrary code embedded in Template Toolkit files.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.78.0.39

For the PGP-signed message, please see: TSR-2019-0005.disclosure.signed.txt.