Headline
CVE-2023-29489: cPanel TSR-2023-0001 Full Disclosure
An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31.
- #1
SEC-668
Summary
Beef up filter checking for invalid webmail forwarders.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of Severity: 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Description
Putting back-slashes before and after forbidden webmail forwarder words (such as include) will allow it to go through. Improve the filter to catch this.
Credits
This issue was discovered by John Lightsey.
Solution
This issue is resolved in the following builds:
11.109.9999.116
11.108.0.13
11.106.0.18
11.102.0.31
SEC-669
Summary
Escape HTML message in cpsrvd’s error page.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Description
An invalid webcall ID can contain cross-site scripting content and needs to be escaped when displayed on the error page for cpsrvd. By escaping the HTML message in the error page we can prevent cross-site scripting from this source as well as any other source that makes it onto the error page.
Credits
This issue was discovered by two different reporters, Sergey Temnikov and Shubham Shah.
Solution
This issue is resolved in the following builds:
11.109.9999.116
11.108.0.13
11.106.0.18
11.102.0.31
https://news.cpanel.com/wp-content/uploads/2023/02/TSR-2023-0001-Full-Disclosure.signed.txt
Related news
Users of Advanced Custom Fields plugin for WordPress are being urged to update version 6.1.6 following the discovery of a security flaw. The issue, assigned the identifier CVE-2023-30777, relates to a case of reflected cross-site scripting (XSS) that could be abused to inject arbitrary executable scripts into otherwise benign websites. The plugin, which is available both as a free and pro