cPanel TSR-2023-0001 Full Disclosure<\/p>\n
SEC-668<\/strong><\/p>\n Summary<\/strong><\/p>\n Beef up filter checking for invalid webmail forwarders.<\/p>\n Security Rating<\/strong><\/p>\n cPanel has assigned this vulnerability a CVSSv3.1 score of Severity: 5.3 CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:L\/I:L\/A:L<\/p>\n Description<\/strong><\/p>\n Putting back-slashes before and after forbidden webmail forwarder words (such as include) will allow it to go through. Improve the filter to catch this.<\/p>\n Credits<\/strong><\/p>\n This issue was discovered by John Lightsey.<\/p>\n Solution<\/strong><\/p>\n This issue is resolved in the following builds: SEC-669<\/strong><\/p>\n Summary<\/strong><\/p>\n Escape HTML message in cpsrvd\u2019s error page.<\/p>\n Security Rating<\/strong><\/p>\n cPanel has assigned this vulnerability a CVSSv3.1 score of 6.3 CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:U\/C:L\/I:L\/A:L<\/p>\n Description<\/strong><\/p>\n An invalid webcall ID can contain cross-site scripting content and needs to be escaped when displayed on the error page for cpsrvd. By escaping the HTML message in the error page we can prevent cross-site scripting from this source as well as any other source that makes it onto the error page.<\/p>\n Credits<\/strong><\/p>\n This issue was discovered by two different reporters:<\/p>\n Sergey Temnikov<\/p>\n Shubham Shah of Assetnote.<\/p>\n
\n11.109.9999.116
\n11.108.0.13
\n11.106.0.18
\n11.102.0.31<\/p>\n