cPanel TSR 2023-0004 Full Disclosure

SEC-675

Summary

Encoding issue in cPanel access_log.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 3.1 (Low) CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

Description

Previously, when incoming requests to cpsrvd that contained control and other non-printable characters arrived, they would get logged without being properly encoded. This can cause various problems in a viewing terminal and can lead to security issues. This change ensures that these characters are properly ASCII encoded.

Credits

This issue was discovered by Andy Fletcher [email protected].

Solution

This issue is resolved in the following builds:
11.116.0.4
11.114.0.12
11.110.0.15

SEC-677

Summary

Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download.

Security Rating

NVD has assigned this vulnerability a CVSSv3.1 score of 5.4 (Medium) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

Please see the upstream post for more information: https://roundcube.net/news/2023/11/05/security-updates-1.6.5-and-1.5.6

Credits

This issue has been credited to a researcher in the upstream disclosure: https://roundcube.net/news/2023/11/05/security-updates-1.6.5-and-1.5.6

Solution

This issue is resolved in the following builds:
11.116.0.4
11.114.0.12
11.110.0.15

https://news.cpanel.com/wp-content/uploads/2023/11/TSR-2023-0004-Full-Disclosure.signed-1.txt