Published: J9:00:01 AM -0400ĬPanel does not automatically synchronize the PHP open_basedir configuration directive between the main server and virtual hosts that share physical directories, which might allow a local user to bypass open_basedir restrictions and access other virtual hosts via a PHP script that uses a main server URL (such as ~username) that is blocked by the user's own open_basedir directive, but not the main server's open_basedir directive. Published: Aug4:30:00 PM -0400ĭirectory traversal vulnerability in frontend/x3/stats/lastvisit.html in cPanel allows remote attackers to read arbitrary files via a. NOTE: this issue only crosses privilege boundaries when security settings such as disable_functions and safe_mode are active, since exploitation requires uploading of executable code to a home directory. Published: Aug4:30:00 PM -0400ĭirectory traversal vulnerability in autoinstall4imagesgalleryupgrade.php in the Fantastico De Luxe Module for cPanel allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the scriptpath_show parameter in a GoAhead action. Multiple cross-site scripting (XSS) vulnerabilities in autoinstall4imagesgalleryupgrade.php in the Fantastico De Luxe Module for cPanel allow remote attackers to inject arbitrary web script or HTML via the (1) localapp, (2) updatedir, (3) scriptpath_show, (4) domain_show, (5) thispage, (6) thisapp, and (7) currentversion parameters in an Upgrade action. Published: Septem2:15:14 AM -0400ĬPanel before 90.0.10 allows self XSS via the WHM Edit DNS Zone interface (SEC-566). The email quota cache in cPanel before 90.0.10 allows overwriting of files. Published: Septem2:15:14 AM -0400ĬPanel before 90.0.10 allows self XSS via WHM Manage API Tokens interfaces (SEC-569). Published: Septem2:15:14 AM -0400ĬPanel before 90.0.10 allows self XSS via the Cron Jobs interface (SEC-573). Published: Novem9:15:10 PM -0500ĬPanel before 90.0.10 allows self XSS via the Cron Editor interface (SEC-574). Published: Novem9:15:11 PM -0500ĬPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567). Published: Janu1:16:25 PM -0500ĬPanel before 90.0.17 allows self-XSS via the WHM Transfer Tool interface (SEC-577). Published: Janu1:16:25 PM -0500ĬPanel before 92.0.9 allows a Reseller to bypass the suspension lock (SEC-578). ![]() Published: Ap4:15:07 AM -0400ĬPanel before 92.0.9 allows a MySQL user (who has an old-style password hash) to bypass suspension (SEC-579). Published: Aug7:15:08 PM -0400ĬPanel before 94.0.3 allows self-XSS via EasyApache 4 Save Profile (SEC-581). ![]() The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585). The WHM Locale Upload feature in cPanel before 98.0.1 allows unserialization attacks (SEC-585). In cPanel before 96.0.13, scripts/fix-cpanel-perl mishandles the creation of temporary files (SEC-586). In cPanel before 96.0.13, fix_cpanel_perl lacks verification of the integrity of downloads (SEC-587).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |