cPanel TSR-2021-0005 Full Disclosure
cPanel has released its Targeted Security Release to address security concerns with the cPanel product. These updates are currently available to all customers via the standard update system.
cPanel has rated this update as having a CVSSv3.1 score of 3.9 to 5.3. For more information on ratings, please visit our documentation.
Is there any action required?
If you have disabled cPanel & WHM automatic updates, please update your cPanel & WHM installations at your earliest convenience.
If you have configured cPanel & WHM servers to automatically update, no action is required. Your servers have automatically been updated.
To avoid service interruptions, please ensure you are on one of the following secure versions:
- 94.0.16 or greater
- 98.0.8 or greater
Full Disclosure Details
SEC-595
Summary
Boxtrapper runs with /tmp as the working directory.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 3.9 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Description
Boxtrapper is run with /tmp as the working directory. In combination with the CVE-2021-36770 for Perl’s Encode.pm, it is possible for an attacker to execute arbitrary code as another user on the server.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.98.0.8
11.94.0.16
SEC-596
Summary
Reflected XSS Vulnerability in Legacy Login Page.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Description
Invalid UTF-8 characters could trigger cPanel to use the Legacy Login page. This page did not adequately encode output. This could allow for an attacker to inject arbitrary JavaScript code into the rendered page.
Credits
This issue was discovered by Sh1yo.
Solution
This issue is resolved in the following builds:
11.98.0.8
11.94.0.16
Additional Information
For the latest information on cPanel & WHM releases, please visit our cPanel Downloads page.
For more information on the cPanel & WHM Versions and Release Process, please refer to our documentation.
For the PGP-Signed message please see TSR-2021-0005.disclosure.signed.