cPanel TSR-2023-0002 Full Disclosure XSS vulnerability
cPanel TSR-2023-0001 Full Disclosure
SEC-673
Summary
XSS vulnerability on ‘Repair a MySQL Database’ page in WHM
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of Severity: 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L Description
It was possible for a cPanel user to create a database with javascript in the name. Then, the javascript would be fetched and executed when the server admin loaded the ‘Repair a MySQL Database’ page via WHM.
Credits
This issue was discovered by Aliz Hammond of watchTowr.com.
Solution
This issue is resolved in the following builds:
11.112.0.1
11.110.0.6
11.108.0.16
11.102.0.33
SEC-672
Summary
Authenticated RCE for webmail virtual accounts
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Description
It is possible to craft a string that gets past the regex check performed via the deprecated Email::addforward API1 call. Subsequent calls to api1/api2/uapi calls to remove forwarders will remove the escape () characters in the string. This can turn the forwarder added with the string into a valid forwarder that allows for an RCE to the user’s cPanel account.
Credits
This issue was discovered by John Lightsey.
Solution
This issue is resolved in the following builds:
11.112.0.1
11.110.0.6
11.108.0.16
11.102.0.33
SEC-670
Summary
HTTP request smuggling vulnerability in cpsrvd
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N.
Description
‘cpanel::cpsrvd::read_socket_headers’ is susceptible to a race condition on keep-alive requests from unprotected documents where the original request headers contain a ‘Content-Length’ header. This can occur when the original request contains a smuggled request that causes the readline to hang while reading the socket due to waiting on the condition provided by $/ to be met. If a second keep-alive request comes in during this time, the entire keep-alive request can be appended to the smuggled request as part of its headers, thus causing the smuggled request to be processed when it should not have been.
Credits
This issue was discovered by Erik Ellsinger.
Solution
This issue is resolved in the following builds:
11.112.0.1
11.110.0.6
11.108.0.16
11.102.0.33
https://news.cpanel.com/wp-content/uploads/2023/05/TSR-2023-0002-Full-Disclosure.signed.txt