-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2019-0005 Full Disclosure SEC-528 Summary Self-XSS Vulnerability in the WHM Update Preferences Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description Error messages in the WHM Update Preferences interface were interpreted as Angular markup. These messages included input data provided by the user. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.82.0.15 11.78.0.39 SEC-517 Summary cPanel API token credentials remain after account rename or termination. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 8.0 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Description When a cPanel user's account was renamed or terminated, the API tokens belonging to the account were left installed on the system under the old name. Any new accounts created with the same name would allow access to the previous account's API tokens. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.82.0.15 SEC-526 Summary Self-XSS Vulnerability in cPanel SSL Key Delete Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description When deleting an SSL key, the user is prompted to remove associated SSL certificates. The certificate name was not adequately encoded in this prompt. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.82.0.15 11.78.0.39 SEC-527 Summary Self-Stored XSS Vulnerability in WHM SSL Storage Manager Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description The WHM SSL Storage Manager interface allows resellers to manage their own SSL certificates and keys. The friendly_name field of displayed SSL keys was not adequately encoded in this interface. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.82.0.15 11.78.0.39 SEC-524 Summary XSS Vulnerabilities in cPanel LiveAPI example scripts. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description The cPanel LiveAPI example scripts output multiple sets of data from the environment and cPanel runtime. This output was not adequately encoded. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.82.0.15 11.78.0.39 SEC-521 Summary Self-XSS Vulnerability in cPanel SSL Certificate Upload Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description When uploading an SSL certificates using the cPanel SSL Certificate Upload interface, the common name was not adequately encoded in the success message. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.82.0.15 11.78.0.39 SEC-503 Summary Demo account code execution via Chrome::get_dom UAPI function. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Description The get_dom function in the Chrome UAPI module did not validate inputs properly. This could be misused by demo logins to execute arbitrary code embedded in Template Toolkit files. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.78.0.39 -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEEtnCbTMb0IHf2mEGRlSG+3KvZTd8FAl1/vfwUHHNlY3VyaXR5 QGNwYW5lbC5uZXQACgkQlSG+3KvZTd8hxA/9EQt8izvvaJjcA/ff3pHgvPQlV6/T JlfihrwzuUoqYOwu7TvcDUbYBKB/L3Vu8WSN3aka0UWVubRIWC9y/k1YBFzBHK4O e2IiZ3XmXKK8WfaE1hv2bpbg4tzOPyVLCCq/N7D5AyyK3ncPAp8Z53UQeSxyFpYC mRFL41aY81peP8g4V+ndayfmpx+oC6efkgvdavnGv3PCWWSRixkkllet3AdmgQtd iEPIUNnrBd5as3CjLmOzuIJBElZyqgB8BAbpOKfpAWadwivOqD/X+W3cK18KsjG0 J0rbl4Cy1Pfj/lnCBhAsSTbzTL3V6BLjxyHtznGI++hJ7MdlrckRAEjCbunEMCSQ X/2DPbNp9FnsS9dqKB2Z9Lld3fhaNFp6Zk1aQHp16D7EQxMZYUrZ/EKR0OeFWo57 tpGz4lj/tuUG5H6MOm/2AKftWU4pjN+uRInDI9wHNdhtc4rUWy+ChkCixDD5DzNi 1EjkBsha48l25FGRHQ08Nx6uEhM5aLQK/NJXyqgQsmSyPuRLNhWONVULXWbWNTcL wMM5klp99VSMyPGxhur7ylN0+Aut2IH2X6Bo5/lRJwzZ5ie7QO+Dfz2+XYuERYBk 8cmuzzxaW41bRLKAaUaOgdybXK/mEAwNvQH7O76UD6GxP6VswnV1gAdkyR7xiytu Yi3vFAFtbxmdiPc= =qRaC -----END PGP SIGNATURE-----