Live Transfer causes email accounts to not require a password on the source server.
cPanel has assigned this vulnerability a CVSSv3 score of 5.6 – CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Previously, when Exim asked for authentication data, cpdoveauthd would send Exim the response for proxying without a password.
Since Exim ignores “proxy_maybe”, that caused Exim to forgo SMTP authentication in those cases.
This issue is resolved in the following build:
For the PGP-signed message, please see TSR-2020-0006.full.disclosure.signed