-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel Unscheduled TSR-2020-0005 Full Disclosure CPANEL-34212 Summary Live Transfer causes email accounts to not require a password on the source server. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.6 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L Description Previously, when Exim asked for authentication data, cpdoveauthd would send Exim the response for proxying without a password. Since Exim ignores “proxy_maybe”, that caused Exim to forgo SMTP authentication in those cases. Solution This issue is resolved in the following build: 11.90.0.13 -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEEtnCbTMb0IHf2mEGRlSG+3KvZTd8FAl97bkYUHHNlY3VyaXR5 QGNwYW5lbC5uZXQACgkQlSG+3KvZTd9y0g//R310yVCM8pEyTIRTZSCUP94f7Uee KYSTTRbqiS6syv8qLSOqi27QAIIJ7bcCbKN1Ou+6ZDJjIrwwsdgJW4eKdQ9VXyKd 5EWEsYuqOM55TyUFXkRP7l0o2hO4LvXhDLYBgo0Dj7A1HtSFp4uPGxX6+mOsku8H 4107dWqAIloyLiX8ddXb9hJ/MGPjYWTzeFWivjRXuhDkJrMvt1pc+sZ0dlRLHcju bDuMzy4JWaAKQVu93qfCASI4z21cUH/vIAwH+f8tnvhnOQf5OD7pD7yh5qXSDrHf gniL7ycoI5y9SLTnjsK0lbKXbZ7jFFyrASyw2i8yPhoViOrqae0flAMhhc6UsYMs nwGpf0ZHBrgMZKMpqbpR0Hc1CrwgRIfLlUpZqJuIHdee2onLhZIcumDFswIGWk8U TcTiZuYPuAJEFEmpXlPa6m0JwQdSwiRPhTWHICNcpCFnDPYL5EJkb1smpSiQLVmc L7e6z08ZtX0Fw6WV0zSjmN4bWICSO1ilpUwc9tN8FpHpCLcwYJIP64NcreQnnEL0 /lzolTDhiXBI5+J8Tack3XjPz4N1XZeWHXi+qQ3vSs1eYWIS/OBzjaSIxoXSll+U thr9MaGm4z2N3b2tT6KJr0wPDCTPsxGGQIZFavo/rbTE+edJSLVeWc0Vp/1P9GfQ R140tIfH+2NpVMs= =MxXL -----END PGP SIGNATURE-----