-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

cPanel TSR 2021-0002 Full Disclosure

SEC-581

Summary

Self-XSS Vulnerability in EasyApache 4 Save Profile.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 1.8 CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N

Description

When attempting to save an EasyApache profile with the same name as an existing profile, the resultant error message was not adequately encoded. This would allow an attacker to inject arbitrary code onto the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.94.0.3
11.92.0.12
11.86.0.37
-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEtnCbTMb0IHf2mEGRlSG+3KvZTd8FAmBPnCkUHHNlY3VyaXR5
QGNwYW5lbC5uZXQACgkQlSG+3KvZTd//Rw//aRL4AqMZ1mdLsCtngRufsYRSHssm
ckWiy7m/NOlk0ouAwSWrevqnaVxW2RkRl9J3WIQ0K/d16VvsJEHwLg2wbWAWmYsO
3nZRHJqQ3oG6TnRXRsPmwud6ZKYK8aW+krT+iFk+P4dtt/Wt8U7jBW55yW0k4pm4
w04ftfwDB1CX3slYHOjlyFP8pN+zGN4ILd8YA6yL1X3cMvD7MsR0/1Jzot0gUJjB
ttpcLqgQQfLcHQsO3FU2q8bH+HSGWvTgJx/aui0/mJr8Jmj3iTU7jkBmF7znuTvE
LLJq3oT/UXcjNYazziLveCWifd8DHSnG1N3Tl4hk9Q2/TRDPk+lXfk4X7LaIIJVU
0hc0RyZKQxzJR13fwyu48kmivL1PopiZp4G9PWuE1QRHavL0ZVoVLoDfmzQFG06N
qO2yxzGgMcLyrGde1GsKsT77ABi7nQLj+/IwXgVNqJ0rHaudGLPU7h6RVwkPy+5Y
L66+JnodUrcUQVdxbvjRWYMokyIiMvqFif5QJm//ozhWw88ZQ1X0dxW1Jh9btM/a
nq8Zzwke0Uk/drpUv6uvsOCorpayHMHVySAgyADt6O3OLk/MpEY3gxYEtnCrR9Y0
kXIEQpfDaH12yi+HPtvB+STmKJMM8mO8L5fqPsInnHfqTCYsscRxLDBOh4R2ncDj
InMpnO3LyJLMU2Y=
=asqK
-----END PGP SIGNATURE-----