Vulnerability CVE-2017-18406


Published: 2019-08-02

Description:
cPanel before 67.9999.103 allows SQL injection during eximstats processing (SEC-276).

Type:

CWE-89

(Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))

Vendor: Cpanel
Product: Cpanel 
Version:
67.9999.99
67.9999.96
67.9999.86
67.9999.78
67.9999.76
67.9999.64
66.0.9
66.0.8
66.0.7
66.0.6
66.0.5
66.0.4
66.0.3
66.0.22
66.0.2
66.0.19
66.0.18
66.0.17
66.0.15
66.0.14
66.0.13
66.0.12
66.0.11
66.0.10
66.0.1
65.9999.94
65.9999.91
65.9999.87
65.9999.82
65.9999.78
65.9999.74
65.9999.70
65.9999.66
65.9999.64
65.9999.57
65.9999.50
65.9999.49
65.9999.39
65.9999.38
65.9999.195
65.9999.192
65.9999.190
65.9999.189
65.9999.187
65.9999.186
65.9999.184
65.9999.183
65.9999.182
65.9999.180
65.9999.179
65.9999.177
65.9999.176
65.9999.172
65.9999.170
65.9999.155
65.9999.140
65.9999.136
65.9999.126
65.9999.120
65.9999.107
65.9999.104
65.9999.100
64.0.9
64.0.7
64.0.4
64.0.39
64.0.38
64.0.36
64.0.33
64.0.32
64.0.31
64.0.30
64.0.3
64.0.29
64.0.27
64.0.24
64.0.22
64.0.21
64.0.20
64.0.2
64.0.19
64.0.18
64.0.17
64.0.15
64.0.14
64.0.13
64.0.12
64.0.11
64.0.1
64.0.0
63.9999.97
63.9999.84
63.9999.74
63.9999.134
63.9999.132
63.9999.125
63.9999.113
63.9999.107

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
https://documentation.cpanel.net/display/CL/68+Change+Log
https://news.cpanel.com/cpanel-tsr-2017-0005-full-disclosure/

Related CVE
CVE-2016-10812
In cPanel before 57.9999.54, /scripts/enablefileprotect exposed TTYs (SEC-117).
CVE-2016-10811
In cPanel before 57.9999.54, /scripts/unsuspendacct exposed TTYs (SEC-116).
CVE-2016-10810
In cPanel before 57.9999.54, /scripts/maildir_converter exposed a TTY to an unprivileged process (SEC-115).
CVE-2016-10809
In cPanel before 57.9999.54, /scripts/checkinfopages exposed a TTY to an unprivileged process (SEC-114).
CVE-2016-10808
In cPanel before 57.9999.54, /scripts/addpop and /scripts/delpop exposed TTYs (SEC-113).
CVE-2016-10807
cPanel before 57.9999.54 allows certain denial-of-service outcomes via /scripts/killpvhost (SEC-112).
CVE-2016-10806
cPanel before 57.9999.54 allows self XSS on the Paper Lantern Landing Page (SEC-110).
CVE-2016-10805
cPanel before 57.9999.54 allows demo accounts to execute arbitrary code via ajax_maketext_syntax_util.pl (SEC-109).

Copyright 2019, cxsecurity.com

 

Back to Top