Pending Publication [CPANEL-18704] An Indirect Way to Change cPanel Passwords

ciao70

Well-Known Member
Nov 3, 2006
82
14
158
Hello,

I report this security article to Sucuri


There’s no doubt that the ubiquitous “forgot your password?” feature has helped many users who’ve misplaced their password or otherwise forgotten it, however—the tradeoff is that it can result in bugs that help bad actors.

As demonstrated in this article, an attacker can use cPanel’s “forgot your password?” feature to reset a user password and obtain further access to an already compromised website.
Replicate this issue on the latest version of cPanel (v82.0.16)





Cpanel aware of this?

Security Fix?

Thanks
 
Last edited:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,252
313
Houston
  • Like
Reactions: ciao70

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,252
313
Houston
Hello,

The epic associated with this has several cases attached and while a lot of them are complete the epic itself is not yet resolved in v88 it looks like it is in v90 of cPanel & WHM though.