SB2024101772 - cPanel EasyApache update for PHP

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024101772

SB2024101772 - cPanel EasyApache update for PHP

Published: October 17, 2024 Updated: March 18, 2025

Security Bulletin ID SB2024101772
Severity
Critical
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Critical 40% Medium 60%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) OS command injection (CVE-ID: CVE-2012-1823)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to error when parsing QUERY_STRING parameters within PHP-CGI-based application (sapi/cgi/cgi_main.c). A remote attacker can send specially crafted HTTP request with query string without the "=" (equals sign) character, inject and execute arbitrary OS commands on vulnerable system with privileges of the web server.

Successful exploitation of the vulnerability results in denial of service or arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

2) OS Command Injection (CVE-ID: CVE-2024-4577)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in PHP-CGI implementation. A remote attacker can send specially crafted HTTP request to the application and execute arbitrary OS commands on the system.

Note, the vulnerability exists due to incomplete fix for #VU4201 (CVE-2012-1823).

3) Input validation error (CVE-ID: CVE-2024-5458)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input when parsing URL. A remote attacker can bypass the filter_var FILTER_VALIDATE_URL checks.


4) OS Command Injection (CVE-ID: CVE-2024-1874)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation when processing array-ish $command parameter of proc_open. A remote attacker can pass specially crafted input to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


5) OS Command Injection (CVE-ID: CVE-2024-5585)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to insufficient fix for #VU88482 (CVE-2024-1874). A remote attacker can pass specially crafted input to the application and execute arbitrary OS commands on the target system.


Remediation

Install update from vendor's website.

References