#VU50650 Permissions, Privileges, and Access Controls in cPanel - CVE-2021-26266

Cybersecurity Help s.r.o.

Published: 2021-02-11

Vulnerability identifier: #VU50650

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-26266

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
cPanel
Web applications / Remote management & hosting panels

Vendor: cPanel, Inc

Description

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to way cPanel handles account suspensions. A remote user can trigger a logical error by suspending an already suspended account via the WHM API. As a result, a Reseller can bypass the suspension lock.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

cPanel: 11.86.0.1 - 11.92.0.8

External links
https://news.cpanel.com/cpanel-tsr-2021-0001-full-disclosure/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in cPanel