Cpanel Cross-site Scripting

Why it can be dangerous and how to fix it

This article is a part of our Vulnerability Database (back to index)

Cross-site Scripting occurrences in Cpanel

cPanel before 94.0.3 allows self-XSS via EasyApache 4 Save Profile (SEC-581). (2021-04-26, CVE-2021-31803)

cPanel before 90.0.17 allows self-XSS via the WHM Transfer Tool interface (SEC-577). (2020-11-27, CVE-2020-29137)

cPanel before 88.0.13 allows self XSS via DNS Zone Manager DNSSEC interfaces (SEC-564). (2020-09-25, CVE-2020-26110)

cPanel before 90.0.10 allows self XSS via the Cron Editor interface (SEC-574). (2020-09-25, CVE-2020-26115)

cPanel before 90.0.10 allows self XSS via the Cron Jobs interface (SEC-573). (2020-09-25, CVE-2020-26114)

cPanel before 90.0.10 allows self XSS via the WHM Edit DNS Zone interface (SEC-566). (2020-09-25, CVE-2020-26111)

cPanel before 90.0.10 allows self XSS via WHM Manage API Tokens interfaces (SEC-569). (2020-09-25, CVE-2020-26113)

cPanel before 82.0.18 allows self-XSS because JSON string escaping is mishandled (SEC-520). (2020-03-17, CVE-2019-20493)

cPanel before 82.0.18 allows stored XSS via WHM Backup Restoration (SEC-533). (2020-03-17, CVE-2019-20497)

cPanel before 84.0.20 allows self XSS via a temporary character-set specification (SEC-515). (2020-03-17, CVE-2020-10113)

cPanel before 84.0.20 allows stored self-XSS via the HTML file editor (SEC-535). (2020-03-17, CVE-2020-10114)

cPanel before 82.0.15 allows self stored XSS in the WHM SSL Storage Manager interface (SEC-527). (2019-10-09, CVE-2019-17379)

cPanel before 82.0.15 allows self XSS in LiveAPI example scripts (SEC-524). (2019-10-09, CVE-2019-17377)

cPanel before 82.0.15 allows self XSS in the SSL Certificate Upload interface (SEC-521). (2019-10-09, CVE-2019-17376)

cPanel before 82.0.15 allows self XSS in the SSL Key Delete interface (SEC-526). (2019-10-09, CVE-2019-17378)

cPanel before 82.0.15 allows self XSS in the WHM Update Preferences interface (SEC-528). (2019-10-09, CVE-2019-17380)

cPanel before 68.0.27 allows self stored XSS in WHM Account Transfer (SEC-386). (2019-08-01, CVE-2018-20950)

cPanel before 68.0.27 allows self XSS in cPanel Backup Restoration (SEC-383). (2019-08-01, CVE-2018-20948)

cPanel before 68.0.27 allows self XSS in the WHM listips interface (SEC-389). (2019-08-01, CVE-2018-20953)

cPanel before 68.0.27 allows self XSS in WHM Apache Configuration Include Editor (SEC-385). (2019-08-01, CVE-2018-20949)

cPanel before 68.0.27 allows self XSS in WHM Spamd Startup Config (SEC-387). (2019-08-01, CVE-2018-20951)

cPanel before 70.0.23 allows stored XSS in via a WHM "Reset a DNS Zone" action (SEC-412). (2019-08-01, CVE-2018-20935)

cPanel before 70.0.23 allows stored XSS via the cpaddons vendor interface (SEC-391). (2019-08-01, CVE-2018-20928)

cPanel before 70.0.23 has Stored XSS via an WHM Edit DNS Zone action (SEC-410). (2019-08-01, CVE-2018-20933)

cPanel before 70.0.23 allows code execution because "." is in @INC during a Perl syntax check of cpaddonsup (SEC-359). (2019-08-01, CVE-2018-20911)

cPanel before 70.0.23 allows self XSS in the WHM cPAddons showsecurity Interface (SEC-357). (2019-08-01, CVE-2018-20910)

cPanel before 70.0.23 allows stored XSS in WHM DNS Cluster (SEC-372). (2019-08-01, CVE-2018-20918)

cPanel before 70.0.23 allows stored XSS via a WHM "Delete a DNS Zone" action (SEC-375). (2019-08-01, CVE-2018-20921)

cPanel before 70.0.23 allows stored XSS via a WHM Create Account action (SEC-373). (2019-08-01, CVE-2018-20919)

cPanel before 70.0.23 allows stored XSS via a WHM DNS Cleanup action (SEC-376). (2019-08-01, CVE-2018-20922)

cPanel before 70.0.23 allows stored XSS via a WHM Edit DNS Zone action (SEC-369). (2019-08-01, CVE-2018-20915)

cPanel before 70.0.23 allows stored XSS via a WHM Edit DNS Zone action (SEC-374). (2019-08-01, CVE-2018-20920)

cPanel before 70.0.23 allows Stored XSS via a WHM Edit MX Entry (SEC-370). (2019-08-01, CVE-2018-20916)

cPanel before 70.0.23 allows stored XSS via a WHM Synchronize DNS Records action (SEC-377). (2019-08-01, CVE-2018-20923)

cPanel before 71.9980.37 allows Remote-Stored XSS in WHM Save Theme Interface (SEC-400). (2019-08-01, CVE-2018-20901)

cPanel before 71.9980.37 allows self XSS in the WHM Backup Configuration interface (SEC-421). (2019-08-01, CVE-2018-20903)

cPanel before 71.9980.37 allows stored XSS in the WHM cPAddons installation interface (SEC-398). (2019-08-01, CVE-2018-20899)

cPanel before 71.9980.37 allows stored XSS in the YUM autorepair functionality (SEC-399). (2019-08-01, CVE-2018-20900)

cPanel before 74.0.0 allows stored XSS in the WHM File Restoration interface (SEC-367). (2019-08-01, CVE-2018-20884)

cPanel before 74.0.8 allows self stored XSS on the Security Questions login page (SEC-446). (2019-08-01, CVE-2018-20881)

cPanel before 74.0.8 allows self XSS in the Site Software Moderation interface (SEC-434). (2019-08-01, CVE-2018-20876)

cPanel before 74.0.8 allows self XSS in the WHM "Create a New Account" interface (SEC-428). (2019-08-01, CVE-2018-20874)

cPanel before 74.0.8 allows self XSS in the WHM Security Questions interface (SEC-433). (2019-08-01, CVE-2018-20875)

cPanel before 74.0.8 allows self XSS in WHM Style Upload interface (SEC-437). (2019-08-01, CVE-2018-20877)

cPanel before 74.0.8 allows stored XSS in WHM "File and Directory Restoration" interface (SEC-441). (2019-08-01, CVE-2018-20878)

cPanel before 76.0.8 has Self XSS in the WHM Additional Backup Destination field (SEC-459). (2019-07-30, CVE-2018-20865)

cPanel before 76.0.8 has Stored XSS in the WHM "Reset a DNS Zone" feature (SEC-461). (2019-07-30, CVE-2018-20866)

cPanel before 76.0.8 has Stored XSS in the WHM MultiPHP Manager interface (SEC-464). (2019-07-30, CVE-2018-20868)

cPanel before 78.0.18 has stored XSS in the BoxTrapper Queue Listing (SEC-493). (2019-07-30, CVE-2019-14406)

cPanel before 82.0.2 has Self XSS in the cPanel and webmail master templates (SEC-506). (2019-07-30, CVE-2019-14387)

cPanel before 82.0.2 has stored XSS in the WHM Modify Account interface (SEC-512). (2019-07-30, CVE-2019-14390)

cPanel before 82.0.2 has stored XSS in the WHM Tomcat Manager interface (SEC-504). (2019-07-30, CVE-2019-14386)

cPanel through 74 allows XSS via a crafted filename in the logs subdirectory of a user account, because the filename is mishandled during frontend/THEME/raw/index.html rendering. (2018-08-30, CVE-2018-16236)

Why Cross-site Scripting can be dangerous

Cross site scripting is an attack where a web page executes code that is injected by an adversary. It usually appears, when users input is presented. This attack can be used to impersonate a user, take over control of the session, or even steal API keys.

The attack can be executed e.g. when you application injects the request parameter directly into the HTML code of the page returned to the user:

https://server.com/confirmation?message=Transaction+Complete

what results in:

<span>Confirmation: Transaction Complete</span>

In that case the message can be modified to become a valid Javascript code, e.g.:

https://server.com/confirmation?message=<script>dangerous javascript code here</script>

and it will be executed locally by the user's browser with full access to the user's personal application/browser data:

<span>Confirmation: <script>dangerous javascript code here</script></span>

Scan Your Web App Now
Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free