CVE-2023-29489 : An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the c

An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31.

Published 2023-04-27 21:15:11

Updated 2023-05-05 18:12:21

Source MITRE

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2023-29489

Cpanel » Cpanel
Versions from including (>=) 11.104.0 and before (<) 11.106.0.18
cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*
Matching versions
Cpanel » Cpanel
Versions before (<) 11.102.0.31
cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*
Matching versions
Cpanel » Cpanel
Versions from including (>=) 11.108.0 and before (<) 11.108.0.13
cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*
Matching versions
Cpanel » Cpanel
Versions from including (>=) 11.109.0 and before (<) 11.109.9999.116
cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2023-29489

Top countries where our scanners detected CVE-2023-29489

Top open port discovered on systems with this issue 443

IPs affected by CVE-2023-29489 32,592

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2023-29489!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2023-29489

EPSS FAQ

93.33%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 100 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-29489

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.3	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L	1.8	3.4	MITRE
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: Low
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2023-29489

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2023-29489

https://blog.assetnote.io/2023/04/26/xss-million-websites-cpanel/

Finding XSS in a million websites (cPanel CVE-2023-29489) – Assetnote
Exploit
https://forums.cpanel.net/threads/cpanel-tsr-2023-0001-full-disclosure.708949/

cPanel TSR-2023-0001 Full Disclosure | cPanel Forums
Vendor Advisory