cPanel Security Advisory: CVE 2007-0890

Updated builds that resolve a Cross Site Scripting vulnerability are available

Security Rating
This vulnerability is rated as trivial by the cPanel Security Team

The /scripts/passwdmysql interface is used by Web Host Manager ( WHM ) to change the root MySQL password. Due to improper handling of the “password” query parameter, data passed via this parameter are not properly santized before returning to the user. If an attacker convinces a user to click a carefully crafted URL it is possible to inject malicious code in the user’s browser session. For this to succeed the user must already be authenticated, or be willing to supply root login credentials after clicking the crafted link.

cPanel 11 users should update to 11.1.0 build 7695 or higher. cPanel 10 users should update to 10.9.0 build 7695 or higher.