Newsroom

cPanel TSR-2021-0005 Full Disclosure

cPanel has released its Targeted Security Release to address security concerns with the cPanel product. These updates are currently available to all customers via the standard update system.

cPanel has rated this update as having a CVSSv3.1 score of 3.9 to 5.3. For more information on ratings, please visit our documentation.

Is there any action required?

If you have disabled cPanel & WHM automatic updates, please update your cPanel & WHM installations at your earliest convenience.

If you have configured cPanel & WHM servers to automatically update, no action is required. Your servers have automatically been updated.

To avoid service interruptions, please ensure you are on one of the following secure versions:

  • 94.0.16 or greater
  • 98.0.8 or greater

Full Disclosure Details

SEC-595

Summary

Boxtrapper runs with /tmp as the working directory.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 3.9 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

Boxtrapper is run with /tmp as the working directory. In combination with the CVE-2021-36770 for Perl’s Encode.pm, it is possible for an attacker to execute arbitrary code as another user on the server.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.98.0.8
11.94.0.16

SEC-596

Summary

Reflected XSS Vulnerability in Legacy Login Page.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

Invalid UTF-8 characters could trigger cPanel to use the Legacy Login page. This page did not adequately encode output. This could allow for an attacker to inject arbitrary JavaScript code into the rendered page.

Credits

This issue was discovered by Sh1yo.

Solution

This issue is resolved in the following builds:
11.98.0.8
11.94.0.16

Additional Information

For the latest information on cPanel & WHM releases, please visit our cPanel Downloads page.

For more information on the cPanel & WHM Versions and Release Process, please refer to our documentation.

For the PGP-Signed message please see TSR-2021-0005.disclosure.signed.