Vulnerability CVE-2008-2478
Published: 2008-05-28   Modified: 2012-02-12

Description:
** DISPUTED ** scripts/wwwacct in cPanel 11.18.6 STABLE and earlier and 11.23.1 CURRENT and earlier allows remote authenticated users with reseller privileges to execute arbitrary code via shell metacharacters in the Email address field (aka Email text box). NOTE: the vendor disputes this, stating "I'm unable to reproduce such an issue on multiple servers running different versions of cPanel."

See advisories in our WLB2 database:
Topic
Author
Date
High
Cpanel all version >> root access with a reseller account.
a jasbi yahoo co...
29.05.2008

Type:

CWE-94

 (Improper Control of Generation of Code ('Code Injection'))

CVSS2 => (AV:N/AC:M/Au:S/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
8.5/10
10/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
Cpanel -> Cpanel 

 References:
http://www.securityfocus.com/archive/1/492223/100/0/threaded
http://www.securityfocus.com/archive/1/492259/100/0/threaded
http://www.securityfocus.com/bid/29277
http://www.securitytracker.com/id?1020042
https://exchange.xforce.ibmcloud.com/vulnerabilities/42529
Copyright 2024, cxsecurity.com

 

Back to Top