Warning: CVE-2023-29489 cPanel reflected cross-site scripting vulnerability
CVE-2023-29489, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L (6.3)
In addition to this, the XSS vulnerability is exploitable regardless of whether or not the cPanel management ports (2080, 2082, 2083, 2086) are exposed externally. This means that any website on port 80 and 443 is also vulnerable to the cross-site scripting vulnerability if it is being managed by a vulnerable cPanel version.
cPanel is web hosting control panel software. It provides a graphical interface (GUI) and automation tools designed to simplify the process of hosting a web site to the website owner or the end user. It enables administration through a standard web browser.
CVE-2023-29489 concerns a reflected cross-site scripting (XSS) vulnerability. Security researchers discovered the message_html variable is not properly sanitized in cPanel error pages for cpsrvd thus enabling the XSS attack. Since the default proxy rules allow the /cpanelwebcall/ directory to be accessed even on ports 80 and 443, cPanel does not need to be exposed to the internet to exploit this vulnerability.
- access site content: web server data, databases, ...
- modify site content: upload webshells, modify application to dump user passwords, ...
The Centre for Cyber Security Belgium strongly recommends system administrators to take the following actions in order to mitigate the impact of this vulnerability in the most efficient way.
A lot of the cPanel installations on the internet have cPanel’s auto-update functionality enabled, meaning that you may no longer be vulnerable without having to patch yourself since cPanel patched this end of February. If you do not have this feature set up, please consult the link provided in the reference table for instructions on how to enable it.
Should you choose not to enable the auto-update feature, please install a non-vulnerable version:
Since XSS example URIs are provided, the CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion. Monitor for suspicious administrator logins.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.