cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.<\/p>\n
SEC-592<\/strong><\/p>\n Summary<\/p>\n Arbitrary code execution via install_locallib_loginprofile script.<\/p>\n Security Rating<\/p>\n cPanel has assigned this vulnerability a CVSSv3.1 score of 3.9 CVSS:3.1\/AV:L\/AC:H\/PR:L\/UI:R\/S:C\/C:L\/I:L\/A:N<\/p>\n Description<\/p>\n The install_locallib_loginprofile script checks for optional modules within the current working directory if they are missing from the local system. If these modules are missing, it is possible for an attacker to execute arbitrary code when this script is executed.<\/p>\n Credits<\/p>\n This issue was discovered by the cPanel Security Team.<\/p>\n Solution<\/p>\n This issue is resolved in the following builds: SEC-593<\/strong><\/p>\n Summary<\/p>\n Cpanel::SecureDownload executes shell commands in an insecure manner.<\/p>\n Security Rating<\/p>\n cPanel has assigned this vulnerability a CVSSv3.1 score of 2.3 CVSS:3.1\/AV:L\/AC:H\/PR:H\/UI:R\/S:C\/C:N\/I:L\/A:N<\/p>\n Description<\/p>\n It is possible for Cpanel::SecureDownload to execute shell commands in an insecure manner. This can allow for an attacker to inject arbitrary commands to be executed on the target server.<\/p>\n Credits<\/p>\n This issue was discovered by the cPanel Security Team.<\/p>\n Solution<\/p>\n This issue is resolved in the following builds: SEC-597<\/strong><\/p>\n Summary<\/p>\n Self-Reflected-XSS Vulnerability in ModSecurity Custom Rules Interface.<\/p>\n Security Rating<\/p>\n cPanel has assigned this vulnerability a CVSSv3.1 score of 1.8 CVSS:3.1\/AV:L\/AC:H\/PR:H\/UI:R\/S:U\/C:N\/I:L\/A:N<\/p>\n Description<\/p>\n When adding rules in the ModSecurity Custom Rules Interface, error messages are not adequately encoded. This could allow for an attacker to execute arbitrary code on the rendered page.<\/p>\n Credits<\/p>\n This issue was discovered by John Lightsey.<\/p>\n Solution<\/p>\n This issue is resolved in the following builds: SEC-598<\/strong><\/p>\n Summary<\/p>\n Stored-XSS Vulnerability in ModSecurity Rules Interface.<\/p>\n Security Rating<\/p>\n cPanel has assigned this vulnerability a CVSSv3.1 score of 3.1 CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:R\/S:U\/C:N\/I:L\/A:N<\/p>\n Description<\/p>\n When enabling rules in the ModSecurity Rules Interface, status messages are not adequately encoded. This could allow for an attacker to execute arbitrary code on the rendered page.<\/p>\n Credits<\/p>\n This issue was discovered by John Lightsey.<\/p>\n Solution<\/p>\n This issue is resolved in the following builds: SEC-599<\/strong><\/p>\n Summary<\/p>\n Stored-XSS Vulnerability in ModSecurity Rules Interface.<\/p>\n Security Rating<\/p>\n cPanel has assigned this vulnerability a CVSSv3.1 score of 3.1 CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:R\/S:U\/C:N\/I:L\/A:N<\/p>\n Description<\/p>\n When disabling rules in the ModSecurity Rules Interface, status messages are not adequately encoded. This could allow for an attacker to execute arbitrary code on the rendered page.<\/p>\n Credits<\/p>\n This issue was discovered by John Lightsey.<\/p>\n Solution<\/p>\n This issue is resolved in the following builds: SEC-600<\/strong><\/p>\n Summary<\/p>\n Reflected-XSS Vulnerability in ModSecurity Vendors Interface.<\/p>\n Security Rating<\/p>\n cPanel has assigned this vulnerability a CVSSv3.1 score of 3.1 CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:R\/S:U\/C:N\/I:L\/A:N<\/p>\n Description<\/p>\n Errors generated by the ModSecurity Vendors Interface when adding a ModSecurity Vendor are not adequately encoded. This could allow for an attacker to execute arbitrary code on the rendered page.<\/p>\n Credits<\/p>\n This issue was discovered by John Lightsey.<\/p>\n Solution<\/p>\n This issue is resolved in the following builds: SEC-602<\/strong><\/p>\n Summary<\/p>\n Self-XSS Vulnerability in WHM Change Hostname interface.<\/p>\n Security Rating<\/p>\n cPanel has assigned this vulnerability a CVSSv3.1 score of 2.0 CVSS:3.1\/AV:L\/AC:L\/PR:H\/UI:R\/S:U\/C:N\/I:L\/A:N<\/p>\n Description<\/p>\n The WHM Change Hostname interface does not adequately encode error messages. This could allow for an attacker to execute arbitrary code on the rendered page.<\/p>\n Credits<\/p>\n This issue was discovered by the cPanel Security Team.<\/p>\n Solution<\/p>\n This issue is resolved in the following builds: SEC-603<\/strong><\/p>\n Summary<\/p>\n Self-stored XSS Vulnerability in WHM Edit Reseller Nameservers and Privileges.<\/p>\n Security Rating<\/p>\n cPanel has assigned this vulnerability a CVSSv3.1 score of 2.3 CVSS:3.1\/AV:L\/AC:H\/PR:H\/UI:R\/S:C\/C:N\/I:L\/A:N<\/p>\n Description<\/p>\n The WHM Edit Reseller Nameservers and Privileges interface does not adequately encode package names. This could allow for an attacker to execute arbitrary code on the rendered page.<\/p>\n Credits<\/p>\n This issue was discovered by the cPanel Security Team.<\/p>\n Solution<\/p>\n This issue is resolved in the following builds: SEC-604<\/strong><\/p>\n Summary<\/p>\n Self-XSS Vulnerability in cPanel Default Address Interface.<\/p>\n Security Rating<\/p>\n cPanel has assigned this vulnerability a CVSSv3.1 score of 5.3 CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:L\/A:N<\/p>\n Description<\/p>\n Errors returned in the cPanel Default Address Interface are not adequately encoded. This could allow for an attacker to execute arbitrary code on the rendered page.<\/p>\n Credits<\/p>\n This issue was discovered by the cPanel Security Team.<\/p>\n Solution<\/p>\n This issue is resolved in the following builds: SEC-606<\/strong><\/p>\n Summary<\/p>\n Sensitive data submitted via GET request in scripts2\/dogencrt.<\/p>\n Security Rating<\/p>\n cPanel has assigned this vulnerability a CVSSv3.1 score of Severity: 2.3 CVSS:3.1\/AV:L\/AC:L\/PR:H\/UI:N\/S:U\/C:L\/I:N\/A:N<\/p>\n Description<\/p>\n When generating an SSL certificate via the WHM Generate an SSL Certificate and Signing Request interface, the certificate\u2019s passphrase was being submitted via a GET request. This could make it possible for an attacker to recover this sensitive information from log files or browser history.<\/p>\n Credits<\/p>\n This issue was discovered by the cPanel Security Team.<\/p>\n Solution<\/p>\n This issue is resolved in the following builds: SEC-608<\/strong><\/p>\n Summary<\/p>\n Stored-XSS Vulnerability in ModSecurity Rules Interface.<\/p>\n Security Rating<\/p>\n cPanel has assigned this vulnerability a CVSSv3.1 score of 2.3 CVSS:3.1\/AV:L\/AC:H\/PR:H\/UI:R\/S:C\/C:N\/I:L\/A:N<\/p>\n Description<\/p>\n When deleting rules in the ModSecurity Rules Interface, status messages are not adequately encoded. This could allow for an attacker to execute arbitrary code on the rendered page.<\/p>\n Credits<\/p>\n This issue was discovered by the cPanel Security Team.<\/p>\n Solution<\/p>\n This issue is resolved in the following builds: For the PGP-Signed message please see the linked document below.<\/p>\n","protected":false},"excerpt":{"rendered":" cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. SEC-592 Summary Arbitrary code execution via install_locallib_loginprofile script. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[],"class_list":["post-18698","post","type-post","status-publish","format-standard","hentry","category-cpanel-news"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/18698","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=18698"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/18698\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=18698"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=18698"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=18698"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n11.94.0.18
\n11.98.0.12
\n11.100.0.3<\/p>\n
\n11.94.0.18
\n11.98.0.12
\n11.100.0.3<\/p>\n
\n11.94.0.18
\n11.98.0.12
\n11.100.0.3<\/p>\n
\n11.94.0.18
\n11.98.0.12
\n11.100.0.3<\/p>\n
\n11.94.0.18
\n11.98.0.12
\n11.100.0.3<\/p>\n
\n11.94.0.18
\n11.98.0.12
\n11.100.0.3<\/p>\n
\n11.94.0.18
\n11.98.0.12
\n11.100.0.3<\/p>\n
\n11.94.0.18
\n11.98.0.12
\n11.100.0.3<\/p>\n
\n11.100.0.3
\n11.98.0.12<\/p>\n
\n11.94.0.18
\n11.98.0.12
\n11.100.0.3<\/p>\n
\n11.94.0.18
\n11.98.0.12
\n11.100.0.3<\/p>\n