CVE-2023-29489

moderate-risk
Published 2023-04-27

An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31.

Do I need to act?

!
92.9% chance of exploitation in next 30 days
EPSS score — higher than 7% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
LOCAL / LOW complexity

Affected Products (1)

Affected Vendors

Cpanel

References (4)

Exploit https://blog.assetnote.io/2023/04/26/xss-million-websites-cpanel/
Vendor Advisory https://forums.cpanel.net/threads/cpanel-tsr-2023-0001-full-disclosure.708949/
Exploit https://blog.assetnote.io/2023/04/26/xss-million-websites-cpanel/
Vendor Advisory https://forums.cpanel.net/threads/cpanel-tsr-2023-0001-full-disclosure.708949/
43
/ 100
moderate-risk
Severity 18/34 · Moderate
Exploitability 20/34 · Moderate
Exposure 5/34 · Minimal