cPanel published TSR-2020-0007 full disclosure that explains three updates. cPanel rated these updates as having CVSSv3.1 scores ranging from 2.6 to 4.7. The cPanel Security Team and independent security researchers discovered the resolved security issues.
URL parameter injection vulnerabilities
SEC-567 that was discovered by the cPanel security team is about URL parameter injection vulnerabilities in multiple interfaces. “Many cPanel & WHM interfaces create URIs to other interfaces by incorporating user-supplied data in URI query parameters. Several cPanel & WHM interfaces were using URL encoding on these parameters rather than URI encoding. Due to this mistake, a cPanel & WHM user could be misled into performing actions they did not intend,” according to TSR-2020-0007 full disclosure.
The second bug, SEC-575, is about two factor authentication. The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes.
The most critical bug in WHM transfer tool interface
“This allowed an attacker to bypass the two-factor authentication check using brute force techniques. Failed validation of the two-factor authentication code is now treated as equivalent to a failure of the account’s primary password validation and rate limited by cPHulk,” written in the disclosure.
The most critical bug, SEC-577, has been assigned a CVSSv3.1 score of 4.7 by cPanel. As error messages in the WHM Transfer Tool Interface were not properly encoded, the injection of HTML into some error messages displayed for invalid inputs.