The cPanel security team has identified several security concerns in their control panel software. They have also released patches to address all these security concerns with the cPanel and WHM product. This patch basically addresses 20 vulnerabilities in cPanel & WHM software versions 11.54, 11.52, 11.50, and 11.48. The patches include following vulnerability fix
- Arbitrary code execution via unsafe @INC path.
- SQL injection vulnerability in bin/horde_update_usernames.
- Arbitrary code execution vulnerability during locale duplication.
- Password hashes revealed by bin/mkvhostspasswd script.
- Limited arbitrary file read in bin/setup_global_spam_filter.pl.
- Code execution as shared users via JSON-API.
- Password hash revealed by chcpass script.
- Arbitrary file overwrite in scripts/check_system_storable.
- Arbitrary file chown/chmod during Roundcube database conversions.
- Arbitrary file read and write via scripts/fixmailboxpath.
- Arbitrary file overwrite in scripts/quotacheck.
- Limited arbitrary file chmod in scripts/secureit.
- Arbitrary code execution via scripts/synccpaddonswithsqlhost.
- Self-XSS in WHM PHP Configuration editor interface.
- Missing ACL enforcement in AppConfig subsystem.
- Stored XSS in WHM Feature Manager interface.
- Self-XSS in X3 Entropy Banner interface.
- Unauthenticated arbitrary code execution via cpsrvd.
For more details regarding this announcement, please check the following article:
How do you update the cPanel version?
- WHM interface : You can update the cPanel version from WHM panel through the following steps :-
- Login to WHM panel
- Click on cPanel
- Click on Update to Latest version
- Click on “Click to Upgrade” and proceed accordingly
- Command line interface (CLI) :- You can update the cPanel version through CLI by accessing the server via SSH and running the following command :-
We are working on the technical details on the some of the vulnerability, we will share as soon as possible.
Till then Stay Safe! Stay Secure!