Code injection

2008-05-2815:32:00

PRIOn knowledge base

www.prio-n.com

7.7 High

AI Score

Confidence

Low

0.038 Low

EPSS

Percentile

91.9%

JSON

scripts/wwwacct in cPanel 11.18.6 STABLE and earlier and 11.23.1 CURRENT and earlier allows remote authenticated users with reseller privileges to execute arbitrary code via shell metacharacters in the Email address field (aka Email text box). NOTE: the vendor disputes this, stating "I’m unable to reproduce such an issue on multiple servers running different versions of cPanel.

CPENameOperatorVersion
cpanelle11.8.6
cpanelle11.23.1

CPE	Name	Operator	Version
	cpanel	le	11.8.6
	cpanel	le	11.23.1

References

www.securityfocus.com/archive/1/492223/100/0/threaded

www.securityfocus.com/archive/1/492259/100/0/threaded

www.securityfocus.com/bid/29277

www.securitytracker.com/id?1020042

exchange.xforce.ibmcloud.com/vulnerabilities/42529