cPanel TSR-2023-0001 Full Disclosure
SEC-668
Summary
Beef up filter checking for invalid webmail forwarders.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of Severity: 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Description
Putting back-slashes before and after forbidden webmail forwarder words (such as include) will allow it to go through. Improve the filter to catch this.
Credits
This issue was discovered by John Lightsey.
Solution
This issue is resolved in the following builds:
11.109.9999.116
11.108.0.13
11.106.0.18
11.102.0.31
SEC-669
Summary
Escape HTML message in cpsrvd's error page.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Description
An invalid webcall ID can contain cross-site scripting content and needs to be escaped when displayed on the error page for cpsrvd. By escaping the HTML message in the error page we can prevent cross-site scripting from this source as well as any other source that makes it onto the error page.
Credits
This issue was discovered by two different reporters, Sergey Temnikov and Shubham Shah.
Solution
This issue is resolved in the following builds:
11.109.9999.116
11.108.0.13
11.106.0.18
11.102.0.31
Please sign in to leave a comment.
Comments
0 comments