cPanel TSR-2021-0002 Full Disclosure

Status
Not open for further replies.

cPanelTabby

Well-Known Member
Staff member
Dec 13, 2019
87
28
93
cPanel, Houston TX
cPanel Access Level
Root Administrator
SEC-581
Summary

Self-XSS Vulnerability in EasyApache 4 Save Profile.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 1.8 CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N

Description

When attempting to save an EasyApache profile with the same name as an existing profile, the resultant error message was not adequately encoded. This would allow an attacker to inject arbitrary code onto the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.94.0.3
11.92.0.12
11.86.0.37

For information on cPanel & WHM Versions and the Release Process, read our documentation at: https://go.cpanel.net/versionformat

For the PGP-Signed message please see the linked document here.
 
  • Like
Reactions: vacancy
Status
Not open for further replies.