cPanel TSR-2020-0002 Full Disclosure | cPanel Newsroom

SEC-505 Summary Bandwidth suspensions can be triggered remotely via mail log strings. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L Description The regular expression patterns used to match bandwidth log lines in the mail log were not properly anchored. This allowed remote attackers to generate Continue Reading

cPanel TSR-2020-0001 Full Disclosure | cPanel Newsroom

SEC-515 Summary Self-XSS vulnerability via temporary character set specification. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description cPanel & WHM and its APIs allow you to specify a temporary character set to use for HTTP responses. Most interfaces and APIs do not expect to Continue Reading

cPanel TSR-2019-0006 Full Disclosure | cPanel Newsroom

SEC-499 Summary Authentication bypass due to variations in webmail username handling. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Description The process used to normalize and validate webmail account names was not consistent across different authentication subsystems. Because of these discrepancies, authenticated cPanel users could Continue Reading

cPanel TSR-2017-0005 Full Disclosure

cPanel TSR-2017-0005 Full Disclosure SEC-276 Summary SQL injection in eximstats processing. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N Description When processing eximstats updates in buffered mode, errors in the SQL operations cause the updates to be reprocessed one statement at a time. The logic Continue Reading

cPanel TSR-2017-0004 Full Disclosure

cPanel TSR-2017-0004 Full Disclosure SEC-263 Summary Stored XSS during WHM cPAddons install. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N Description It was possible for an attacker to actively inject HTML into the WHM cPAddons screen during a moderated install. Credits This issue was discovered Continue Reading

cPanel TSR-2017-0002 Full Disclosure

cPanel TSR-2017-0002 Full Disclosure SEC-208 Summary Addon domain conversion did not require a package for resellers. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L Description Previously, when you converted an addon domain to a normal account, it was not required that a reseller specify a Continue Reading

cPanel TSR-2016-0004 Full Disclosure

cPanel TSR-2016-0004 Full Disclosure SEC-130 Summary Apache logfiles start with loose permissions. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:L/AC:L/Au:S/C:P/I:N/A:N) Description The Apache domlogs were originally populated with loose permissions during creation. Credits This issue was discovered by the cPanel Security Team. Solution This issue Continue Reading

cPanel TSR-2016-0002 Full Disclosure

cPanel TSR-2016-0002 Full Disclosure SEC-31 Summary Daemons can access their controlling TTY. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C) Description Daemonized code is not fully detached from from its parent process. This allows an attacker to control a TTY they do not own. Credits Continue Reading