Advisory: Reflected Cross-Site Scripting in cPanel (CVE-2023-29489)

Summary

A reflected cross-site scripting vulnerability can be exploited without any authentication in affected versions of cPanel. The XSS vulnerability is exploitable regardless of whether or not the cPanel management ports (2080, 2082, 2083, 2086) are exposed externally. Websites on port 80 and 443 are also vulnerable to the cross-site scripting vulnerability if they are being managed by cPanel.

An attacker can escalate this cross-site scripting vulnerability to command execution, if targeting a logged in cPanel user.

Impact

It is possible to execute arbitrary JavaScript, pre-authentication in the context of a victim, on almost every port of a webserver using cPanel within its default setup.

Even on port 80 and 443, it is possible to reach the <span class="code_single-line">/cpanelwebcall/</span> directory as it is being proxied to the cPanel management ports by Apache.

Because of this, an attacker can not only attack the management ports of cPanel but also the applications that are running on port 80 and 443.

Due to the fact that the cPanel management ports are vulnerable to this cross-site scripting attack, an attacker could leverage this vulnerability to hijack a legitimate user’s cPanel session.

Once acting on behalf of an authenticated user of cPanel, it is usually trivial to upload a web shell and gain command execution.

Affected Software

The following versions are affected by this cross-site scripting vulnerability:

• < 11.109.9999.116
• < 11.108.0.13
• < 11.106.0.18
• < 11.102.0.31

Product Description

cPanel is a web hosting control panel software that is deployed widely across the internet.

Solution

This vulnerability can be remediated by upgrading to any of the following cPanel versions or above:

• 11.109.9999.116
• 11.108.0.13
• 11.106.0.18
• 11.102.0.31

cPanel’s official advisory can be found here.

Blog Post

The blog post detailing the steps taken for the discovery of this vulnerability can be found here.

Credits

Shubham Shah - Assetnote Security Research Team

Timeline

The timeline for this disclosure process can be found below:

• Jan 23rd, 2023: Disclosure of the XSS vulnerability to cPanel via <span class="code_single-line">security@cpanel.net</span>.
• Jan 23rd, 2023: Confirmation from cPanel that they have received the vulnerability and are investigating further.
• Feb 12th, 2023: Request for updates from Assetnote side
• Feb 13th, 2023: Vulnerability confirmed by cPanel and assigned <span class="code_single-line">SEC-669</span>. Targeted security fix release to follow in a few weeks.
• March 1st, 2023: Vulnerability fixed and public disclosure released on cPanel website.