-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2020-0002 Full Disclosure SEC-505 Summary Bandwidth suspensions can be triggered remotely via mail log strings. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L Description The regular expression patterns used to match bandwidth log lines in the mail log were not properly anchored. This allowed remote attackers to generate fake bandwidth consumption for an account. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.86.0.14 11.84.0.22 11.78.0.47 SEC-540 Summary cPanel account backup leaks access to current working directory. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L Description Access to the current working directory of the root user was leaked to unprivileged users when cPanel & WHM's backup scripts were executed. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.86.0.14 11.84.0.22 11.78.0.47 For the PGP-signed message, please see: https://news.cpanel.com/wp-content/uploads/2020/03/TSR-2020-0002.disclosure.signed.txt. -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEEtnCbTMb0IHf2mEGRlSG+3KvZTd8FAl5vu2MUHHNlY3VyaXR5 QGNwYW5lbC5uZXQACgkQlSG+3KvZTd8zAg/+LHYzrkXknIxbQXUtSsSQ7AofbJog kKHn5CM2sK+RWLJmZAKvYFWcUBiud8sHbkfsev8gkLjSTB4c9MO8fjcETDuUfWP6 +j08zVjjcNEg32qdLbsGQuP0SbevWXSobBCbD1IDw2Tpo1m7Orhw6i2oARKins3D AF3aBoiiEp47NGRa0qY71mmCncfNY6AH0wAOoKgNPcOiAo8XWi6+WcUot+e/c53O 2NjNH9A0DM4KVAwkYYyUYAxZaVIHz9gu3eVAeIm3w3jVcsyuzPZUNeDhQqqfEhMK 5JaWx4g8glVfxx24BvND7+rkFBo8TUFKNvoHIeCFMmWT3Xj9AaFb/qHnK/GX7JbH vYL0e8agaLVlfue6Tdb5Lc7pigRi8Skew603WRfapvFNgnP95uk371S+Xp5kONUb 1u2RvU7wS2G8fkmMPe2UBzclPagGxNk3dBj6jIvNmnjirzahloQ2Wzop8rs+eGAA 5VZLeqeOCIKeqkrOtMItsPq44H3dOkUR440MNX87ZY6aJLRRjU/90Cjh6YYsdM01 rlt21p0+WBHVl2i5gtgSZZ6ScVxJWVSFEzrLlT0YC7Xe8Wol4RreXOEz7N5uI6Ly 4liWJK3xXAKLnTybJXKeS2doi+x+/Ks+Qcxqtz18Ah3tBeiugD6IixQ0mJXJsG9J NgD4SXl1Tdb/04c= =97Px -----END PGP SIGNATURE-----