-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

cPanel TSR 2023-0004 Full Disclosure

SEC-675

Summary

Encoding issue in cPanel access_log.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score 3.1 (Low) CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

Description

Previously, when incoming requests to cpsrvd that contained control and other non-printable characters arrived, they would get logged without being properly encoded.  This can cause all sorts of chaos in a viewing terminal and can lead to security issues.  This change ensures that these characters are properly ASCII encoded.

Credits

This issue was discovered by Andy Fletcher <andy.fletcher@ukdedicated.com>.

Solution

This issue is resolved in the following builds:
11.116.0.4
11.114.0.12
11.110.0.15


SEC-677

Summary

Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download.

Security Rating

NVD has assigned this vulnerability a CVSSv3.1 score of 5.4 (Medium) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

Please see the upstream post for more information: https://roundcube.net/news/2023/11/05/security-updates-1.6.5-and-1.5.6

Credits

This issue has been credited to a researcher in the upstream disclosure: https://roundcube.net/news/2023/11/05/security-updates-1.6.5-and-1.5.6

Solution

This issue is resolved in the following builds:
11.116.0.4
11.114.0.12
11.110.0.15

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEtnCbTMb0IHf2mEGRlSG+3KvZTd8FAmVU9a4ACgkQlSG+3KvZ
Td/wGg/+IUDklUHukDjs12/ErsOni3gX+S+Y4ehaFTm5bY582GeZSsqAjylOhlZX
66R46rOe4rHPVpMN/Cb7NDgpJYF/JsO7JhV7Nxf7/tA/gzLPwYxNzwz9jVfaLUIt
Jn++SG8SkGXxx1dPJ0LLcwAjWgscWezsOysArWjmHFeosscijHrD8OsQpPewSE5J
FLqEZYMxjhvW7mETcS98XKyV2ioOTCdr1klfpYLCkHBVlHXiI7qfD8nf7qh7xYL7
24Rom6qPWGhfkKz5vCvSpya/Yx6U9J8TXD2W2ZcfgjMch40Ay+zLU21KDpNYdnSm
H07O9bx/jhgJsSj74Qff8Eb5xG7CaGOUeI8x6K4IToSUuaBvo57QsgcsAZ34Hzr0
aOv8tFp8esS7H2vbrdCDkyg20X/WimOx0mNQJc8+uaXasQmUilaHYQTZi9ZWTwlI
D/tS7yshZZEZDTuX5Hxo6rUiQXPgLq2+0KJfW6N0M5y++tjcF1SdGTEmPEsa5mRP
8hG/07nMs2BK6wX5V6MOY2L9Y6qlxVw/XUmG84Sxa+/klNUVlxf59c2vb8cMfH58
yaSckopqEkspHnNBI+6XMIL7t6WLIr4lg3qkm2/LFGL7rZcDP4wMC2hVr7cFp0O+
81wWyWunoXOR5TxV/M8kvAeZ5BiEp2BU8PD5zfRJa446DB5NukM=
=oWnc
-----END PGP SIGNATURE-----