cPanel TSR-2020-0002 Full Disclosure | cPanel Newsroom

SEC-505 Summary Bandwidth suspensions can be triggered remotely via mail log strings. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L Description The regular expression patterns used to match bandwidth log lines in the mail log were not properly anchored. This allowed remote attackers to generate Continue Reading

cPanel TSR-2020-0001 Full Disclosure | cPanel Newsroom

SEC-515 Summary Self-XSS vulnerability via temporary character set specification. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description cPanel & WHM and its APIs allow you to specify a temporary character set to use for HTTP responses. Most interfaces and APIs do not expect to Continue Reading

cPanel TSR-2019-0006 Full Disclosure | cPanel Newsroom

SEC-499 Summary Authentication bypass due to variations in webmail username handling. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Description The process used to normalize and validate webmail account names was not consistent across different authentication subsystems. Because of these discrepancies, authenticated cPanel users could Continue Reading

cPanel TSR-2017-0005 Full Disclosure

cPanel TSR-2017-0005 Full Disclosure SEC-276 Summary SQL injection in eximstats processing. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N Description When processing eximstats updates in buffered mode, errors in the SQL operations cause the updates to be reprocessed one statement at a time. The logic Continue Reading

cPanel TSR-2017-0004 Full Disclosure

cPanel TSR-2017-0004 Full Disclosure SEC-263 Summary Stored XSS during WHM cPAddons install. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N Description It was possible for an attacker to actively inject HTML into the WHM cPAddons screen during a moderated install. Credits This issue was discovered Continue Reading

cPanel TSR-2016-0002 Full Disclosure

cPanel TSR-2016-0002 Full Disclosure SEC-31 Summary Daemons can access their controlling TTY. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C) Description Daemonized code is not fully detached from from its parent process. This allows an attacker to control a TTY they do not own. Credits Continue Reading