SB2019080518 - Multiple vulnerabilities in cPanel, cPanel

Description

This security bulletin contains information about 24 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2016-10776)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can permanently inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Cross-site scripting (CVE-ID: CVE-2016-10777)

The vulnerability allows a remote authenticated user to read and manipulate data.

cPanel before 60.0.25 allows self XSS in WHM Tweak Settings for autodiscover_host (SEC-177).

3) Cross-site scripting (CVE-ID: CVE-2016-10778)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can permanently inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

4) Cross-site scripting (CVE-ID: CVE-2016-10779)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can permanently inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

5) Cross-site scripting (CVE-ID: CVE-2016-10780)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can permanently inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

6) Cross-site scripting (CVE-ID: CVE-2016-10781)

The vulnerability allows a remote authenticated user to read and manipulate data.

cPanel before 60.0.25 allows self XSS in the UI_confirm API (SEC-180).

7) Cross-site scripting (CVE-ID: CVE-2016-10782)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can permanently inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

8) Cross-site scripting (CVE-ID: CVE-2016-10783)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can permanently inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

9) Cross-site scripting (CVE-ID: CVE-2016-10784)

The vulnerability allows a remote authenticated user to read and manipulate data.

cPanel before 60.0.25 allows self XSS in the alias upload interface (SEC-184).

10) Information disclosure (CVE-ID: CVE-2016-10785)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

cPanel before 60.0.25 allows attackers to discover file contents during file copy operations (SEC-185).

11) Information disclosure (CVE-ID: CVE-2016-10786)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

cPanel before 60.0.25 allows members of the nobody group to read Apache HTTP Server SSL keys (SEC-186).

12) Input validation error (CVE-ID: CVE-2016-10787)

The vulnerability allows a remote authenticated user to read and manipulate data.

The Host Access Control feature in cPanel before 60.0.25 mishandles actionless host.deny entries (SEC-187).

13) Input validation error (CVE-ID: CVE-2016-10788)

The vulnerability allows a remote authenticated user to execute arbitrary code.

cPanel before 60.0.25 allows arbitrary code execution via Maketext in PostgreSQL adminbin (SEC-188).

14) Input validation error (CVE-ID: CVE-2016-10789)

The vulnerability allows a remote authenticated user to execute arbitrary code.

cPanel before 60.0.25 allows code execution via the cpsrvd 403 error response handler (SEC-191).

15) Information disclosure (CVE-ID: CVE-2016-10790)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

cPanel before 60.0.25 does not use TLS for HTTP POSTs to listinput.cpanel.net (SEC-192).

16) Cross-site scripting (CVE-ID: CVE-2016-10767)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can permanently inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

17) Input validation error (CVE-ID: CVE-2016-10768)

The vulnerability allows a remote authenticated user to manipulate data.

cPanel before 60.0.25 allows file-overwrite operations during preparation for MySQL upgrades (SEC-161).

18) Open redirect (CVE-ID: CVE-2016-10769)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

cPanel before 60.0.25 allows an open redirect via /cgi-sys/FormMail-clone.cgi (SEC-162).

19) Input validation error (CVE-ID: CVE-2016-10770)

The vulnerability allows a remote authenticated user to manipulate data.

cPanel before 60.0.25 allows arbitrary file-overwrite operations during a Roundcube update (SEC-164).

20) Input validation error (CVE-ID: CVE-2016-10771)

The vulnerability allows a remote authenticated user to read and manipulate data.

cPanel before 60.0.25 allows file-create and file-chmod operations during ModSecurity Audit logfile processing (SEC-165).

21) Security Features (CVE-ID: CVE-2016-10772)

The vulnerability allows a local authenticated user to manipulate data.

cPanel before 60.0.25 does not enforce feature-list restrictions when calling the multilang adminbin (SEC-168).

22) Format string error (CVE-ID: CVE-2016-10773)

The vulnerability allows a remote authenticated user to execute arbitrary code.

cPanel before 60.0.25 allows format-string injection in exception-message handling (SEC-171).

23) Cross-site scripting (CVE-ID: CVE-2016-10774)

The vulnerability allows a remote authenticated user to read and manipulate data.

cPanel before 60.0.25 allows self XSS in the tail_ea4_migration.cgi interface (SEC-172).

24) Input validation error (CVE-ID: CVE-2016-10775)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

cPanel before 60.0.25 allows arbitrary file-chown operations via reassign_post_terminate_cruft (SEC-173).

Remediation

Install update from vendor's website.

References

• https://documentation.cpanel.net/display/CL/60+Change+Log
• https://news.cpanel.com/cpanel-tsr-2016-0006-full-disclosure/