Summary
URL parameter injection vulnerabilities in multiple interfaces.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 2.6 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
Description
Many cPanel & WHM interfaces create URIs to other interfaces by incorporating user-supplied data in URI query parameters. Several cPanel & WHM interfaces were using URL encoding on these parameters rather than URI encoding. Due to this mistake, a cPanel & WHM user could be misled into performing actions they did not intend.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.92.0.2
11.90.0.17
11.86.0.32
Summary
Two factor authentication vulnerable to brute force attack.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Description
The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes. This allowed an attacker to bypass the two-factor authentication check using brute force techniques. Failed validation of the two-factor authentication code is now treated as equivalent to a failure of the account’s primary password validation and rate limited by cPHulk.
Credits
This issue was discovered by Michael Clark and Wes Wright of Digital Defense, Inc.
Solution
This issue is resolved in the following builds:
11.92.0.2
11.90.0.17
11.86.0.32
Summary
Self-XSS vulnerability in WHM Transfer Tool interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 4.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
Error messages in the WHM Transfer Tool Interface were not properly encoded. This allowed the injection of HTML into some error messages displayed for invalid inputs.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.92.0.2
11.90.0.17
For the PGP-signed message, please see cPanel TSR-2020-0007 Full Disclosure.