Attacker Value
Moderate
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
2

CVE-2023-29489

Disclosure Date: April 27, 2023
CVE-2023-29489 CVSS v3 Base Score: 6.1
Exploited in the Wild
Reported by cbeek-r7
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31.

Add Assessment

1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very High
Common in enterpriseEasy to weaponizeUnauthenticated
Technical Analysis

A cross-site scripting vulnerability was identified in Cpanel with the ability to be exploited without requiring authentication. Furthermore, the XSS vulnerability remains exploitable, even if the cPanel management ports (2080, 2082, 2083, 2086) are not exposed externally. This implies that if your website is managed through cPanel, it may be vulnerable to cross-site scripting on ports 80 and 443.

This vulnerability’s allows us to execute arbitrary JavaScript without the need for authentication on nearly all webserver ports when using cPanel in its default configuration. Even on ports 80 and 443, one can access the /cpanelwebcall/ directory since it is being proxied to the cPanel management ports by Apache.
Consequently, an attacker can not only target the cPanel management ports but also the applications running on ports 80 and 443.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
6.1 Medium
Impact Score:
2.7
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Changed
Confidentiality (C):
Low
Integrity (I):
Low
Availability (A):
None

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • cpanel

Products

  • cpanel

Exploited in the Wild

Reported by:

References

Canonical
CVE-2023-29489 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29489)
Exploit
The following exploit POCs have not been verified by Rapid7 researchers, but are sourced from: nomi-sec/PoC-in-GitHub.
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.
Scanner-CVE-2023-29489 (https://github.com/haxor1337x/Scanner-CVE-2023-29489)
CVE-2023-29489.py (https://github.com/ipk1/CVE-2023-29489.py)
Miscellaneous
https://forums.cpanel.net/threads/cpanel-tsr-2023-0001-full-disclosure.708949/
https://blog.assetnote.io/2023/04/26/xss-million-websites-cpanel/

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis