Newsroom

cPanel TSR 2023-0004 Full Disclosure

SEC-675

Summary

Encoding issue in cPanel access_log.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 3.1 (Low) CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

Description

Previously, when incoming requests to cpsrvd that contained control and other non-printable characters arrived, they would get logged without being properly encoded. This can cause various problems in a viewing terminal and can lead to security issues. This change ensures that these characters are properly ASCII encoded.

Credits

This issue was discovered by Andy Fletcher from ukdedicated.com.

Solution

This issue is resolved in the following builds:
11.116.0.4
11.114.0.12
11.110.0.15

SEC-677

Summary

Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download.

Security Rating

NVD has assigned this vulnerability a CVSSv3.1 score of 5.4 (Medium) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

Please see the upstream post for more information: https://roundcube.net/news/2023/11/05/security-updates-1.6.5-and-1.5.6

Credits

This issue has been credited to a researcher in the upstream disclosure: https://roundcube.net/news/2023/11/05/security-updates-1.6.5-and-1.5.6

Solution

This issue is resolved in the following builds:
11.116.0.4
11.114.0.12
11.110.0.15

https://news.cpanel.com/wp-content/uploads/2023/11/TSR-2023-0004-Full-Disclosure.signed-2.txt