CPANEL-48811
110.0.73
2025-09-09
Fixed case CPANEL-48811: Security Update: 48 hour disclosure embargo.
We are on Cloudlinux 6 (updating planned next month) , so we can not update to 110.0.73
What Security Issue is this? can we disable something, or how critical is the issue?
may there are manual replacement of files for the issue to update?
-
Hey there! I can't say anything official yet, but when we actually say the details are embargoed that's a sure sign that it's not good. In this particular case we don't think there is a public exploit available but we wanted to patch the issue just in case something were to come up in the future.
0 -
Thanks. We hope there is a mitigation.
May disable some functions what is ok for us.
Any small hints ?
Many many thanks.0 -
There aren't any tools that can be disabled to get around this one as it was related to cPanel itself.
0 -
any mitigations? or can we manually replace some files to patch? or am we safe because of cloudlinux cagefs ?
anything would help.
many many thanks.
0 -
Oddly this seems to be avaialble for 11.126 (LTS) and 11.130. But I don't see it available for my 11.128 machines. And http://layer2.cpanel.net/ shows the same. Even though the 11.128 changelog does reference there being an 11.128.20 security update. All my 11.128 machines are still on 11.128.19
0 -
You would need to be on 128.0.20 in order to receive the update for that tier, which is actually being release right now!
0 -
128.0.20 is the update for the security issue. I'm on 128.0.19. Ok on it being released now. 128.0.20 is now available to my servers.
Thanks
1 -
any mitigations? or can we manually replace some files to patch? or am we safe because of cloudlinux cagefs ?
anything would help.
many many thanks.
0 -
The best thing you can do would be to update the server. I really can't say anymore at this time.
0 -
sure. but sadly not possible yet. we do this next month.
0 -
Fixed case CPANEL-48811: Security Update: Generic Unseen Parameters Discovery in resetpass.cgi
Blocked unauthenticated users from enabling debug mode via a query parameter in the URL.
Credit to reporter: adwin
CVSS Score: 3.7Ok, only 3.7
Why it is so critical?
Can we delete this CGI and all is fine as a mitigation?
Many thanks0 -
No, you can't delete this cgi as it's part of the cPanel software itself and not an addon.
0 -
Ok, and patch only this file manually?
Or delete it, we do not need the password reset.
An we safe from the issue if the file is not there , or are other thinks impacted too?And why is it critical, but cve score is only 3,7?
Thanks for the answers
0 -
There is no way to manually patch this. With the server being on CloudLinux 6 there are likely hundreds of other vulnerabilities that you may not even be aware of that have been fixed over the last year but that you aren't eligible for.
I can't say why the specific CVE scores are assigned, but I will say this specific issue had been in the product for a very long time before it came to our attention.
Your best bet is to just wait until you can update the server.
0
Please sign in to leave a comment.
Comments
14 comments