cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.
SEC-592
Summary
Arbitrary code execution via install_locallib_loginprofile script.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 3.9 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Description
The install_locallib_loginprofile script checks for optional modules within the current working directory if they are missing from the local system. If these modules are missing, it is possible for an attacker to execute arbitrary code when this script is executed.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.94.0.18
11.98.0.12
11.100.0.3
SEC-593
Summary
Cpanel::SecureDownload executes shell commands in an insecure manner.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 2.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N
Description
It is possible for Cpanel::SecureDownload to execute shell commands in an insecure manner. This can allow for an attacker to inject arbitrary commands to be executed on the target server.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.94.0.18
11.98.0.12
11.100.0.3
SEC-597
Summary
Self-Reflected-XSS Vulnerability in ModSecurity Custom Rules Interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 1.8 CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
Description
When adding rules in the ModSecurity Custom Rules Interface, error messages are not adequately encoded. This could allow for an attacker to execute arbitrary code on the rendered page.
Credits
This issue was discovered by John Lightsey.
Solution
This issue is resolved in the following builds:
11.94.0.18
11.98.0.12
11.100.0.3
SEC-598
Summary
Stored-XSS Vulnerability in ModSecurity Rules Interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Description
When enabling rules in the ModSecurity Rules Interface, status messages are not adequately encoded. This could allow for an attacker to execute arbitrary code on the rendered page.
Credits
This issue was discovered by John Lightsey.
Solution
This issue is resolved in the following builds:
11.94.0.18
11.98.0.12
11.100.0.3
SEC-599
Summary
Stored-XSS Vulnerability in ModSecurity Rules Interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Description
When disabling rules in the ModSecurity Rules Interface, status messages are not adequately encoded. This could allow for an attacker to execute arbitrary code on the rendered page.
Credits
This issue was discovered by John Lightsey.
Solution
This issue is resolved in the following builds:
11.94.0.18
11.98.0.12
11.100.0.3
SEC-600
Summary
Reflected-XSS Vulnerability in ModSecurity Vendors Interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Description
Errors generated by the ModSecurity Vendors Interface when adding a ModSecurity Vendor are not adequately encoded. This could allow for an attacker to execute arbitrary code on the rendered page.
Credits
This issue was discovered by John Lightsey.
Solution
This issue is resolved in the following builds:
11.94.0.18
11.98.0.12
11.100.0.3
SEC-602
Summary
Self-XSS Vulnerability in WHM Change Hostname interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 2.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
Description
The WHM Change Hostname interface does not adequately encode error messages. This could allow for an attacker to execute arbitrary code on the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.94.0.18
11.98.0.12
11.100.0.3
SEC-603
Summary
Self-stored XSS Vulnerability in WHM Edit Reseller Nameservers and Privileges.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 2.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N
Description
The WHM Edit Reseller Nameservers and Privileges interface does not adequately encode package names. This could allow for an attacker to execute arbitrary code on the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.94.0.18
11.98.0.12
11.100.0.3
SEC-604
Summary
Self-XSS Vulnerability in cPanel Default Address Interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Description
Errors returned in the cPanel Default Address Interface are not adequately encoded. This could allow for an attacker to execute arbitrary code on the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.100.0.3
11.98.0.12
SEC-606
Summary
Sensitive data submitted via GET request in scripts2/dogencrt.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of Severity: 2.3 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Description
When generating an SSL certificate via the WHM Generate an SSL Certificate and Signing Request interface, the certificate’s passphrase was being submitted via a GET request. This could make it possible for an attacker to recover this sensitive information from log files or browser history.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.94.0.18
11.98.0.12
11.100.0.3
SEC-608
Summary
Stored-XSS Vulnerability in ModSecurity Rules Interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 2.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N
Description
When deleting rules in the ModSecurity Rules Interface, status messages are not adequately encoded. This could allow for an attacker to execute arbitrary code on the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.94.0.18
11.98.0.12
11.100.0.3
For the PGP-Signed message please see the linked document below.