-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 cPanel TSR-2024-0002 Full Disclosure TSR-566 Summary Fix Self-XSS Vulnerability in webdiskvbs.cgi. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 3.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N Description The webdiskvbs.cgi script did not adequately validate and encode the query parameters. Because of this, it was possible to inject arbitrary data into the returned response, allowing for an attacker to execute code. Credits This issue was discovered by John Smith, Shadow Garden Solution This issue is resolved in the following builds: 11.110.0.50 11.118.0.30 11.124.0.21 TSR-556 Summary Fix Self-XSS Vulnerability in webdisksetup.cgi. Security Rating cPanel has assigned this vulnerability a CVSS3.1 score of 3.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N Description The webdisksetup.cgi script did not adequately validate and encode the query parameters. Because of this, it was possible to inject arbitrary data into the returned response, allowing for an attacker to execute code. Credits This issue was discovered by John Smith, Shadow Garden Solution This issue is resolved in the following builds: 11.110.0.50 11.118.0.30 11.124.0.21 TSR-563 Summary Fix Self-XSS Vulnerability in cyberducksetup.cgi. Security Rating cPanel has assigned this vulnerability a CVSS3.1 score of 2.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N Description The cyberducksetup.cgi script did not adequately validate and encode the query parameters. Because of this, it was possible to inject arbitrary data into the returned response, allowing for an attacker to execute code. Credits This issue was discovered by John Smith, Shadow Garden Solution This issue is resolved in the following builds: 11.110.0.50 11.118.0.30 11.124.0.21 TSR-565 Summary Fix Self-XSS Vulnerability in coreftpsetup.cgi. Security Rating cPanel has assigned this vulnerability a CVSS3.1 score of 2.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N Description The coreftpsetup.cgi script did not adequately validate and encode the query parameters. Because of this, it was possible to inject arbitrary data into the returned response, allowing for an attacker to execute code. Credits This issue was discovered by John Smith, Shadow Garden Solution This issue is resolved in the following builds: 11.110.0.50 11.118.0.30 11.124.0.21 TSR-608 Summary Race condition in Exim identify_local_connection check allows for local users to send mail. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Description A connection to the mailserver could send the entirety of an SMTP transaction before immediately closing the socket without waiting for exim to respond. This would put the socket into a FIN_WAIT state, which the Linux kernel records as belonging to UID 0. When the exim identify_local_connection check (utilizing the Cpanel::Ident module) occurred, the socket was already in this state, and showed the connection as coming from the root user, which allowed the email to be sent. Credits This issue was discovered by Namecheap Tech Ops. Solution This issue is resolved in the following build: 11.110.0.50 11.118.0.30 11.124.0.21 -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEtnCbTMb0IHf2mEGRlSG+3KvZTd8FAmdaMjIACgkQlSG+3KvZ Td/AZA//cntX+mAzLVn3Bm52b4eL4lsSOD/xVDOC/kc1TPamCfHZH8OsDNXMqYv9 QejnGZF8AxuHEZ2G71J1sZCF7p5DKb9kl+iYoZWszjpRaIVdKg5/9bX4Kg6IXH12 Yj6lsMi9dDbcCdr80nXchDre4R5ACCJMV9NejIQtiC/jsldMI9A49gr5Eny/AFBg S52he05uGYyoD2UulGWgEHuokzpdAyF3R5FOFd2I0jKYetMhBS8ZQ3nFF2JJjVnI DRg4BZuWr63X2Q37hUqoM8jHqRbq+LvJqgEVDNeWRWPlNbfqG4gqJ8BfjK91Zmme RFAzCm+fgQn7RolEMGq1D5iRSnGtYVoUYGYVBdlULnGlMCjEXWWgzQeEXQ6N8jkS QFo1E9OUOLxXbDEjyYXsZfzOyHn3SN8a0UiaL2EkGr6hzCf/Zy75fqmAt7NcP4Pi OKDkZb2L/OWWxvRSgEWE2qBdgBhCgMnc56nYjoM9DyOvRU5JgmkQwBZPBUwRo5dU NeS1UM9aB6Wft3wQyv1R2J6eMXEUdDOJaACQk9xVGTIZW079U627+loWlZqIs0nT cgYN0Do9JGQoxwh8rgOKvtGcfHcUukyT6nNt8tEg95BAyL9obpQX99iSyElOUf80 g7/cn2f2WxazLF+lW0+7bGpEeTCXe2X26yWR1nHr/faacE27WIw= =SoSx -----END PGP SIGNATURE-----