Newsroom

cPanel TSR-2020-0007 Full Disclosure


SEC-567

Summary

URL parameter injection vulnerabilities in multiple interfaces.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 2.6 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

Description

Many cPanel & WHM interfaces create URIs to other interfaces by incorporating user-supplied data in URI query parameters. Several cPanel & WHM interfaces were using URL encoding on these parameters rather than URI encoding. Due to this mistake, a cPanel & WHM user could be misled into performing actions they did not intend.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.92.0.2
11.90.0.17
11.86.0.32

SEC-575

Summary

Two factor authentication vulnerable to brute force attack.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes. This allowed an attacker to bypass the two-factor authentication check using brute force techniques. Failed validation of the two-factor authentication code is now treated as equivalent to a failure of the account’s primary password validation and rate limited by cPHulk.

Credits

This issue was discovered by Michael Clark and Wes Wright of Digital Defense, Inc.

Solution

This issue is resolved in the following builds:
11.92.0.2
11.90.0.17
11.86.0.32

SEC-577

Summary

Self-XSS vulnerability in WHM Transfer Tool interface.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 4.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

Error messages in the WHM Transfer Tool Interface were not properly encoded. This allowed the injection of HTML into some error messages displayed for invalid inputs.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.92.0.2
11.90.0.17

For the PGP-signed message, please see cPanel TSR-2020-0007 Full Disclosure.