Advisory: Reflected Cross-Site Scripting in cPanel (CVE-2023-29489)
Summary
A reflected cross-site scripting vulnerability can be exploited without any authentication in affected versions of cPanel. The XSS vulnerability is exploitable regardless of whether or not the cPanel management ports (2080, 2082, 2083, 2086) are exposed externally. Websites on port 80 and 443 are also vulnerable to the cross-site scripting vulnerability if they are being managed by cPanel.
An attacker can escalate this cross-site scripting vulnerability to command execution, if targeting a logged in cPanel user.
Impact
It is possible to execute arbitrary JavaScript, pre-authentication in the context of a victim, on almost every port of a webserver using cPanel within its default setup.
Even on port 80 and 443, it is possible to reach the <span class="code_single-line">/cpanelwebcall/</span> directory as it is being proxied to the cPanel management ports by Apache.
Because of this, an attacker can not only attack the management ports of cPanel but also the applications that are running on port 80 and 443.
Due to the fact that the cPanel management ports are vulnerable to this cross-site scripting attack, an attacker could leverage this vulnerability to hijack a legitimate user’s cPanel session.
Once acting on behalf of an authenticated user of cPanel, it is usually trivial to upload a web shell and gain command execution.
Affected Software
The following versions are affected by this cross-site scripting vulnerability:
- < 11.109.9999.116
- < 11.108.0.13
- < 11.106.0.18
- < 11.102.0.31
Product Description
cPanel is a web hosting control panel software that is deployed widely across the internet.
Solution
This vulnerability can be remediated by upgrading to any of the following cPanel versions or above:
- 11.109.9999.116
- 11.108.0.13
- 11.106.0.18
- 11.102.0.31
cPanel’s official advisory can be found here.
Blog Post
The blog post detailing the steps taken for the discovery of this vulnerability can be found here.
Credits
Shubham Shah - Assetnote Security Research Team
Timeline
The timeline for this disclosure process can be found below:
- Jan 23rd, 2023: Disclosure of the XSS vulnerability to cPanel via <span class="code_single-line">security@cpanel.net</span>.
- Jan 23rd, 2023: Confirmation from cPanel that they have received the vulnerability and are investigating further.
- Feb 12th, 2023: Request for updates from Assetnote side
- Feb 13th, 2023: Vulnerability confirmed by cPanel and assigned <span class="code_single-line">SEC-669</span>. Targeted security fix release to follow in a few weeks.
- March 1st, 2023: Vulnerability fixed and public disclosure released on cPanel website.
Ready to get started?
Get on a call with our team and learn how Assetnote can change the way you secure your attack surface. We'll set you up with a trial instance so you can see the impact for yourself.