cPanel TSR-2024-0001 Full Disclosure
TSR-566
Summary
Fix Self-XSS Vulnerability in webdiskvbs.cgi.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 3.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Description
The webdiskvbs.cgi script did not adequately validate and encode the query parameters. Because of this, it was possible to inject arbitrary data into the returned response, allowing for an attacker to execute code.
Credits
This issue was discovered by John Smith, Shadow Garden
Solution
This issue is resolved in the following builds:
11.110.0.50
11.118.0.30
11.124.0.21
TSR-556
Summary
Fix Self-XSS Vulnerability in webdisksetup.cgi.
Security Rating
cPanel has assigned this vulnerability a CVSS3.1 score of 3.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Description
The webdisksetup.cgi script did not adequately validate and encode the query parameters. Because of this, it was possible to inject arbitrary data into the returned response, allowing for an attacker to execute code.
Credits
This issue was discovered by John Smith, Shadow Garden
Solution
This issue is resolved in the following builds:
11.110.0.50
11.118.0.30
11.124.0.21
TSR-563
Summary
Fix Self-XSS Vulnerability in cyberducksetup.cgi.
Security Rating
cPanel has assigned this vulnerability a CVSS3.1 score of 2.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Description
The cyberducksetup.cgi script did not adequately validate and encode the query parameters. Because of this, it was possible to inject arbitrary data into the returned response, allowing for an attacker to execute code.
Credits
This issue was discovered by John Smith, Shadow Garden
Solution
This issue is resolved in the following builds:
11.110.0.50
11.118.0.30
11.124.0.21
TSR-565
Summary
Fix Self-XSS Vulnerability in coreftpsetup.cgi.
Security Rating
cPanel has assigned this vulnerability a CVSS3.1 score of 2.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Description
The coreftpsetup.cgi script did not adequately validate and encode the query parameters. Because of this, it was possible to inject arbitrary data into the returned response, allowing for an attacker to execute code.
Credits
This issue was discovered by John Smith, Shadow Garden
Solution
This issue is resolved in the following builds:
11.110.0.50
11.118.0.30
11.124.0.21
TSR-608
Summary
Race condition in Exim identify_local_connection check allows for local users to send mail.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Description
A connection to the mailserver could send the entirety of an SMTP transaction before immediately closing the socket without waiting for exim to respond. This would put the socket into a FIN_WAIT state, which the Linux kernel records as belonging to UID 0. When the exim identify_local_connection check (utilizing the Cpanel::Ident module) occurred, the socket was already in this state, and showed the connection as coming from the root user, which allowed the email to be sent.
Credits
This issue was discovered by Namecheap Tech Ops.
Solution This issue is resolved in the following build:
11.110.0.50
11.118.0.30
11.124.0.21
For information on cPanel & WHM Versions and the Release Process, read our documentation at: https://go.cpanel.net/versionformat.
For a gpg-signed version of this announcement please visit the following url:
https://news.cpanel.com/wp-content/uploads/2024/12/TSR-2024-0002.disclosure.signed-1.txt