cPanel TSR-2021-0004 Full Disclosure

cPanel TSR-2021-0004 Full Disclosure cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel TSR-2021-0004 Full Disclosure SEC-585 Summary WHM Locale Upload allows vulnerable to XXE and unserialization attacks. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 2.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N Description The WHM Local Upload functionality allows for arbitrary XML documents to be uploaded. These documents may be serialized Perl object data. These documents may include references to external entities and/or be recorded as blessed Perl objects. This may lead to arbitrary file read/writes and/or code execution. Credits This issue was discovered by Adrian Tiron, Fortbridge ( For the PGP-Signed message please see