SEC-515
Summary
Self-XSS vulnerability via temporary character set specification.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
cPanel & WHM and its APIs allow you to specify a temporary character set to use for HTTP responses. Most interfaces and APIs do not expect to have the character set of their responses changed. This confusion could allow for an attacker to cause the rendering browser to parse and execute code.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.84.0.20
11.78.0.45
SEC-535
Summary
Self-stored XSS vulnerability in HTML file editor.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
The cPanel HTML file editor displays error messages when failing to open a file. These error messages were not adequately encoded. It was possible to manipulate these error messages to include HTML markup that would be rendered by the user’s browser.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.84.0.20
11.78.0.45
SEC-537
Summary
Arbitrary code execution as root via dnsadmin when using PowerDNS.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Description
The name server configuration logic for PowerDNS allowed additional positional parameters to be injected when calling the pdns_control command. By injecting malicious data into these parameters, it was possible for a malicious reseller with the clustering ACL to execute arbitrary code on the system.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.84.0.20
11.78.0.45
SEC-541
Summary
Feature and demo restrictions not enforced for WebDisk UAPI calls.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Description
Refactoring of the feature and demo access restriction code removed enforcement of these restrictions on all WebDisk UAPI calls.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.84.0.20
11.78.0.45
SEC-542
Summary
Demo checks enforced incorrectly in Market UAPI namespace.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Description
The API calls available in the Market UAPI namespace did not limit the actions of demo accounts properly.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.84.0.20
11.78.0.45
SEC-543
Summary
Demo account file modifications through Branding API calls.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Description
Restrictions on demo accounts for several Branding API1 and API2 calls were not properly enforced. In some configurations this allowed demo accounts to read and write arbitrary files on the system.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.84.0.20
11.78.0.45
SEC-544
Summary
Demo account remote code execution via cpsrvd rsync shell.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 8.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Description
The cPanel server includes rsync remote file transfer functionality. The access controls limiting demo account usage of this functionality was ineffective. This could be abused by a demo account user to execute arbitrary code on the server.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.84.0.20
SEC-545
Summary
Root remote code execution for resellers via cpsrvd rsync shell.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Description
The cPanel server includes rsync remote file transfer functionality. The access controls limiting reseller usage of this functionality was ineffective. This could be abused by any reseller to execute arbitrary code as the root account.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.84.0.20
SEC-546
Summary
Demo account code execution via PassengerApps APIs.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 8.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Description
When registering a Passenger application, the ‘ensure_deps’ API will install dependencies according to a configuration file within the application directory. Demo accounts were not restricted from invoking this API call, allowing the execution of arbitrary code on the server.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.84.0.20
11.78.0.45
SEC-547
Summary
Arbitrary file deletion for Webmail and Demo accounts.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Description
Functionality intended to handle JSON POST data submitted in HTTP requests did not apply input filtering required to distinguish file uploads from other form parameters. A malicious webmail or demo account could misuse this behavior to delete files on the system.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.84.0.20
11.78.0.45
For the PGP-signed message, please see: https://news.cpanel.com/wp-content/uploads/2020/01/TSR-2020-0001.disclosure.signed.txt.