-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 cPanel TSR-2024-0001 Full Disclosure TSR-566 Summary Fix Self-XSS Vulnerability in webdiskvbs.cgi. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 3.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N Description The webdiskvbs.cgi script did not adequately validate and encode the query parameters. Because of this, it was possible to inject arbitrary data into the returned response, allowing for an attacker to execute code. Credits This issue was discovered by John Smith, Shadow Garden Solution This issue is resolved in the following builds: 11.110.0.50 11.118.0.30 11.124.0.21 TSR-556 Summary Fix Self-XSS Vulnerability in webdisksetup.cgi. Security Rating cPanel has assigned this vulnerability a CVSS3.1 score of 3.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N Description The webdisksetup.cgi script did not adequately validate and encode the query parameters. Because of this, it was possible to inject arbitrary data into the returned response, allowing for an attacker to execute code. Credits This issue was discovered by John Smith, Shadow Garden Solution This issue is resolved in the following builds: 11.110.0.50 11.118.0.30 11.124.0.21 TSR-563 Summary Fix Self-XSS Vulnerability in cyberducksetup.cgi. Security Rating cPanel has assigned this vulnerability a CVSS3.1 score of 2.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N Description The cyberducksetup.cgi script did not adequately validate and encode the query parameters. Because of this, it was possible to inject arbitrary data into the returned response, allowing for an attacker to execute code. Credits This issue was discovered by John Smith, Shadow Garden Solution This issue is resolved in the following builds: 11.110.0.50 11.118.0.30 11.124.0.21 TSR-565 Summary Fix Self-XSS Vulnerability in coreftpsetup.cgi. Security Rating cPanel has assigned this vulnerability a CVSS3.1 score of 2.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N Description The coreftpsetup.cgi script did not adequately validate and encode the query parameters. Because of this, it was possible to inject arbitrary data into the returned response, allowing for an attacker to execute code. Credits This issue was discovered by John Smith, Shadow Garden Solution This issue is resolved in the following builds: 11.110.0.50 11.118.0.30 11.124.0.21 TSR-608 Summary Race condition in Exim identify_local_connection check allows for local users to send mail. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Description A connection to the mailserver could send the entirety of an SMTP transaction before immediately closing the socket without waiting for exim to respond. This would put the socket into a FIN_WAIT state, which the Linux kernel records as belonging to UID 0. When the exim identify_local_connection check (utilizing the Cpanel::Ident module) occurred, the socket was already in this state, and showed the connection as coming from the root user, which allowed the email to be sent. Credits This issue was discovered by Namecheap Tech Ops. Solution This issue is resolved in the following build: 11.110.0.50 11.118.0.30 11.124.0.21 -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEtnCbTMb0IHf2mEGRlSG+3KvZTd8FAmdaMYwACgkQlSG+3KvZ Td8UJQ/+OVBjx0XOuPta+CRW+4b4p7jmJCI0UvxhBz70UzG7PNDuLm8gv6kUtgeb kSVwegknGlez3cvIZnff0v+80++uZgpqMsZqA7buB2rMOXUw7WqxIuvtWuqI6Xiu 61xtheaviPUUqQBGyukGi1c6zzP7rtsGj17vF1FW2K3TXwrST7ajYcI/WjNEZbWR KZRsnJq02WGgclx6jKQBp0rQh/6IOl6xkNPSB4S+1Kgzm8Alrr6fjNrxRnL4eNIq OMfQecpt6C4tOSNfubXwesYspkR1NctyhjYbglTw7nZx1duLJFtPCLipadArVmj0 L+od2fVQ4D8T/i3EzsMqbllvK7gp254plnT4Rt7LLgpMirH9fbSauFlg4HTBS8Bb 9a5tAW0qn7AMbHWHEBTGBaTl8mgDHaDGKvUB+T5lOpLhp5lMfazh6Y3E/gcWBSOJ ySH9++gIyxBWnqJPU7igoAnE4sR4bNSUO5WoXP69kLaeaFtV1Tpr0gvOJzHZhSZw KXpiErJKjeT/cSsCgiQGM4VroMN7CXMsgF/5v13P1jELyIKQyHUvuYR3OEJRnC7V PT+2IlJaM08FMXkN7IuCa+2862D9BWr5p8AdI8Z3dzg3Lv6dsIzowiMt9Q9Vw7on V97GMfhQM3X5SM1wM7LKR3eMqnRwaV0TAR/Oms6b5/eLouTRP9g= =p2if -----END PGP SIGNATURE-----