Apr 26, 2023
A reflected cross-site scripting vulnerability can be exploited without any authentication in affected versions of cPanel. The XSS vulnerability is exploitable regardless of whether or not the cPanel management ports (2080, 2082, 2083, 2086) are exposed externally. Websites on port 80 and 443 are also vulnerable to the cross-site scripting vulnerability if they are being managed by cPanel.
An attacker can escalate this cross-site scripting vulnerability to command execution, if targeting a logged in cPanel user.
It is possible to execute arbitrary JavaScript, pre-authentication in the context of a victim, on almost every port of a webserver using cPanel within its default setup.
Even on port 80 and 443, it is possible to reach the /cpanelwebcall/
directory as it is being proxied to the cPanel management ports by Apache.
Because of this, an attacker can not only attack the management ports of cPanel but also the applications that are running on port 80 and 443.
Due to the fact that the cPanel management ports are vulnerable to this cross-site scripting attack, an attacker could leverage this vulnerability to hijack a legitimate user’s cPanel session.
Once acting on behalf of an authenticated user of cPanel, it is usually trivial to upload a web shell and gain command execution.
The following versions are affected by this cross-site scripting vulnerability:
cPanel is a web hosting control panel software that is deployed widely across the internet.
This vulnerability can be remediated by upgrading to any of the following cPanel versions or above:
cPanel’s official advisory can be found here.
The blog post detailing the steps taken for the discovery of this vulnerability can be found here.
Shubham Shah - Assetnote Security Research Team
The timeline for this disclosure process can be found below:
[email protected]
.SEC-669
. Targeted security fix release to follow in a few weeks.Find out how Assetnote can help you lock down your external attack surface.
Use the lead form below, or alternatively contact us via email by clicking here.