cPanel has announced the latest vulnerabilities and their solutions in a post they published.
cPanel has announced the SEC-515, SEC-535, SEC-537, SEC-541, SEC-542, SEC-543, SEC-544, SEC-545, SEC-546, and SEC-547 vulnerabilities. All vulnerabilities are discovered by the cPanel Security Team.
SEC-515 is a vulnerability caused by the temporary character set specification and has a CVSSv3 score of 4.7. In cPanel & WHM API, users can specify a temporary character set to be used for HTTP responses. The changed character set of their response is now expected by most interfaces and APIs. An attacker can be allowed to cause the rendering browser to parse and execute code by this confusion. The issue is resolved in 126.96.36.199 and 188.8.131.52 builds.
SEC-535 is a self-stored XSS vulnerability in HTML file editor with a CVSSv3 score of 4.7. The error message displayed by the cPanel HTML file editor when failing to open a file was not encoded adequately. These error messages were vulnerable to manipulation to include HTML markup that would be rendered by the user’s browser. The issue is also resolved in 184.108.40.206 and 220.127.116.11 builds.
SEC-537 is a vulnerability caused by the arbitrary code execution as root via dnsadmin when using PowerDNS with a CVSSv3 score of 8.2. Additional positional parameters to be injected when calling the pdns_control command was allowed by the name server configuration logic for PowerDNS. A malicious reseller with the clustering ACL to execute arbitrary code on the system was able to inject malicious data into these parameters. The issue is also resolved in 18.104.22.168 and 22.214.171.124 builds.
In SEC-541 vulnerability, feature and demo restrictions not enforced for WebDisk UAPI calls. CVSSv3 score of SEC-541 is assigned as 5.3. This vulnerability can be described as refactoring of the feature and demo access restriction code removed enforcement of these restrictions on all WebDisk UAPI calls. The issue is also resolved in 126.96.36.199 and 188.8.131.52 builds.
SEC-542’s CVSSv3 score is assigned as 4.8. In this vulnerability, the API calls available in the Market UAPI namespace did not limit the actions of demo accounts properly. The issue is also resolved in 184.108.40.206 and 220.127.116.11 builds.
SEC-543’s CVSSv3 score is 4.8. In this vulnerability, restrictions on demo accounts for several Branding API1 and API2 calls were not properly enforced. This allowed demo accounts to read and write arbitrary files on the system in some configurations. The issue is also resolved in 18.104.22.168 and 22.214.171.124 builds.
SEC-544 is a vulnerability caused by demo account remote code execution via cpsrvd rsync shell. The cPanel server includes rsync remote file transfer functionality. The access controls limiting demo account usage of this functionality was ineffective. A demo account user can execute arbitrary code on the server to abuse this vulnerability. SEC-544’s CVSSv3 score is 8.3 and it is resolved in 126.96.36.199 build.
SEC-545’s CVSSv3 score is the highest one on the list with 9.1. This vulnerability allows root remote code execution for resellers via cpsrvd rsync shell. A reseller was able to execute arbitrary code as the root due to the ineffectiveness of the rsync remote file transfer functionality. The issue is resolved in 188.8.131.52.
SEC-546’s CVSSv3 score is 8.3. In this vulnerability, the “ensure_deps” API will install dependencies according to a configuration file within the application directory when registering a Passenger application. But demo accounts were not restricted from invoking this API call, allowing the execution of arbitrary code on the server. This issue is also resolved in 184.108.40.206 and 220.127.116.11 builds.
cPanel has assigned SEC-547 vulnerability a CVSSv3 score of 6.5. In this vulnerability functionality intended to handle JSON POST data submitted in HTTP requests did not apply input filtering required to distinguish file uploads from other form parameters. A malicious webmail or demo account was able to misuse this behavior to delete files on the system. This issue is also resolved in 18.104.22.168 and 22.214.171.124 builds.