Newsroom

cPanel TSR-2023-0001 Full Disclosure

February 28, 2023

cPanel TSR-2023-0001 Full Disclosure

SEC-668

Summary

Beef up filter checking for invalid webmail forwarders.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of Severity: 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Description

Putting back-slashes before and after forbidden webmail forwarder words (such as include) will allow it to go through. Improve the filter to catch this.

Credits

This issue was discovered by John Lightsey.

Solution

This issue is resolved in the following builds:
11.109.9999.116
11.108.0.13
11.106.0.18
11.102.0.31

SEC-669

Summary

Escape HTML message in cpsrvd’s error page.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Description

An invalid webcall ID can contain cross-site scripting content and needs to be escaped when displayed on the error page for cpsrvd. By escaping the HTML message in the error page we can prevent cross-site scripting from this source as well as any other source that makes it onto the error page.

Credits

This issue was discovered by two different reporters:

Sergey Temnikov

Shubham Shah of Assetnote.

Solution

This issue is resolved in the following builds:
11.109.9999.116
11.108.0.13
11.106.0.18
11.102.0.31

https://news.cpanel.com/wp-content/uploads/2023/02/TSR-2023-0001-Full-Disclosure.signed.txt