Attacker Value

Moderate

(1 user assessed)

Exploitability

Very High

(1 user assessed)

User Interaction

CVE-2023-29489

Disclosure Date: April 27, 2023 •

CVE-2023-29489 CVSS v3 Base Score: 6.1

Exploited in the Wild

Reported by cbeek-r7
View Source Details

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31.

Add Assessment

cbeek-r7 (181)

October 17, 2023 7:31am UTC (1 year ago)

Ratings

Attacker Value

Medium

Exploitability

Very High

Common in enterprise Easy to weaponize Unauthenticated

Technical Analysis

A cross-site scripting vulnerability was identified in Cpanel with the ability to be exploited without requiring authentication. Furthermore, the XSS vulnerability remains exploitable, even if the cPanel management ports (2080, 2082, 2083, 2086) are not exposed externally. This implies that if your website is managed through cPanel, it may be vulnerable to cross-site scripting on ports 80 and 443.

This vulnerability’s allows us to execute arbitrary JavaScript without the need for authentication on nearly all webserver ports when using cPanel in its default configuration. Even on ports 80 and 443, one can access the /cpanelwebcall/ directory since it is being proxied to the cPanel management ports by Apache.
Consequently, an attacker can not only target the cPanel management ports but also the applications running on ports 80 and 443.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

6.1 Medium

Impact Score:

2.7

Exploitability Score:

2.8

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

Required

Scope (S):

Changed

Confidentiality (C):

Low

Integrity (I):

Low

Availability (A):

None

Vendors

cpanel

Products

cpanel

Exploited in the Wild

Reported by:

cbeek-r7 indicated source as Personally observed in an environment

Reported: October 17, 2023 7:10am UTC (1 year ago)

References

Canonical

CVE-2023-29489 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29489)

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

Scanner-CVE-2023-29489 (https://github.com/haxor1337x/Scanner-CVE-2023-29489) (Added by AKB Worker)

CVE-2023-29489.py (https://github.com/ipk1/CVE-2023-29489.py) (Added by AKB Worker)

Miscellaneous

https://forums.cpanel.net/threads/cpanel-tsr-2023-0001-full-disclosure.708949/

https://blog.assetnote.io/2023/04/26/xss-million-websites-cpanel/

Rapid7

Moderate

CVE-2023-29489

Moderate

Very High

Required

None

Network

CVE-2023-29489

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Exploited in the Wild

References

Canonical

Exploit

Miscellaneous

Additional Info

Technical Analysis

Moderate

CVE-2023-29489

Moderate

Very High

Required

None

Network

CVE-2023-29489

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Exploited in the Wild

References

Canonical

Exploit

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification