CVE-2023-29489

2023-04-2700:00:00

mitre

github.com

cpanel

xss vulnerability

cross-site scripting

sec-669

version 11.109.9999.116

CVSS3

5.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

AI Score

6.2

Confidence

High

EPSS

0.006

Percentile

78.1%

SSVC

Exploitation

poc

Automatable

Technical Impact

total

JSON

An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*"
    ],
    "vendor": "cpanel",
    "product": "cpanel",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "11.109.9999.116",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "cpes": [
      "cpe:2.3:a:cpanel:cpanel:11.109.9999.116:*:*:*:*:*:*:*"
    ],
    "vendor": "cpanel",
    "product": "cpanel",
    "versions": [
      {
        "status": "unaffected",
        "version": "11.109.9999.116"
      }
    ],
    "defaultStatus": "unaffected"
  }
]