CVE-2023-29489

2023-04-2721:15:10

CWE-79

[email protected]

web.nvd.nist.gov

120

In Wild

cpanel

xss

vulnerability

cpsrvd

error page

cve-2023-29489

security

nvd

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5.8 Medium

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.3%

JSON

An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31.

Affected configurations

NVD

Node

cpanelcpanelRange<11.102.0.31

cpanelcpanelRange11.104.0–11.106.0.18

cpanelcpanelRange11.108.0–11.108.0.13

cpanelcpanelRange11.109.0–11.109.9999.116

CPENameOperatorVersion
cpanel:cpanelcpanellt11.102.0.31
cpanel:cpanelcpanellt11.106.0.18
cpanel:cpanelcpanellt11.108.0.13
cpanel:cpanelcpanellt11.109.9999.116