Summary
Self-XSS vulnerability in the WHM Edit DNS Zone interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
The return URL argument supplied to the Edit DNS Zone interface was insufficiently validated. This allowed the injection of JavaScript code into the return hyperlink.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.90.0.10
11.88.0.17
11.86.0.27
Summary
File overwrite via email quota cache.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Description
Cpsrvd periodically updates the email quota cache. When doing this, the cache files are opened and written as the root user. This could potentially be used by an attacker to overwrite files.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.90.0.10
11.88.0.17
11.86.0.27
Summary
Self-XSS vulnerabilities in WHM Manage API Tokens interfaces.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
Error messages displayed in the WHM Manage API Tokens interface were not properly escaped. This allowed the injection of HTML into the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.90.0.10
11.88.0.17
11.86.0.27
Summary
Self-XSS vulnerability in the cPanel Cron Jobs interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
Settings displayed on the cPanel Cron Jobs interface were not properly escaped. This allowed the injection of HTML into the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.90.0.10
11.88.0.17
11.86.0.27
Summary
Self-XSS vulnerability in the cPanel Cron Editor interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
Parameters in cron jobs displayed on the cPanel Cron editor interface were not properly escaped. This allowed the injection of HTML into the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.90.0.10
11.88.0.17
11.86.0.27
For the PGP-signed message, please see TSR-2020-0005.disclosure.signed