Multiple vulnerabilities in cPanel
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2021-26266 CVE-2021-26267 |
| CWE-ID | CWE-264 CWE-841 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
cPanel Web applications / Remote management & hosting panels |
| Vendor | cPanel, Inc |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU50650
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-26266
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to way cPanel handles account suspensions. A remote user can trigger a logical error by suspending an already suspended account via the WHM API. As a result, a Reseller can bypass the suspension lock.
Install updates from vendor's website.
Vulnerable software versionscPanel: 11.86.0.1 - 11.92.0.8
CPE2.3- cpe:2.3:a:cpanel:cpanel:11.86.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:cpanel:cpanel:11.86.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:cpanel:cpanel:11.86.0.3:*:*:*:*:*:*:*
https://news.cpanel.com/cpanel-tsr-2021-0001-full-disclosure/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper Enforcement of Behavioral Workflow
EUVDB-ID: #VU50652
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-26267
CWE-ID:
CWE-841 - Improper Enforcement of Behavioral Workflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to ignore imposed restrictions.
The vulnerability exists due to an error when handling suspensions for MySQL users with old-style password hashes on a MySQL 5.5 system. The suspendacct fails to disable the passwords and the user still has access to the database.
Install updates from vendor's website.
Vulnerable software versionscPanel: 11.86.0.1 - 11.92.0.8
CPE2.3- cpe:2.3:a:cpanel:cpanel:11.86.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:cpanel:cpanel:11.86.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:cpanel:cpanel:11.86.0.3:*:*:*:*:*:*:*
https://news.cpanel.com/cpanel-tsr-2021-0001-full-disclosure/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
