cPanel TSR-2020-0007 Full Disclosure

Status
Not open for further replies.

cPanelTabby

Active Member
Staff member
Dec 13, 2019
26
7
78
cPanel, Houston TX
cPanel Access Level
Root Administrator
cPanel TSR-2020-0007 Full Disclosure

SEC-567
Summary

URL parameter injection vulnerabilities in multiple interfaces.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 2.6 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

Description

Many cPanel & WHM interfaces create URIs to other interfaces by incorporating user-supplied data in URI query parameters. Several cPanel & WHM interfaces were using URL encoding on these parameters rather than URI encoding. Due to this mistake, a cPanel & WHM user could be misled into performing actions they did not intend.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.92.0.2
11.90.0.17
11.86.0.32



SEC-575
Summary

Two factor authentication vulnerable to brute force attack.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes. This allowed an attacker to bypass the two-factor authentication check using brute force techniques. Failed validation of the two-factor authentication code is now treated as equivalent to a failure of the account's primary password validation and rate limited by cPHulk.

Credits

This issue was discovered by Michael Clark and Wes Wright ([email protected]).

Solution

This issue is resolved in the following builds:
11.92.0.2
11.90.0.17
11.86.0.32


SEC-577
Summary

Self-XSS vulnerability in WHM Transfer Tool interface.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 4.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

Error messages in the WHM Transfer Tool Interface were not properly encoded. This allowed the injection of HTML into some error messages displayed for invalid inputs.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.92.0.2
11.90.0.17



For the PGP-signed message, please see cPanel TSR-2020-0007 Full Disclosure.
 
Status
Not open for further replies.