CVE-2023-29489: 
cPanel vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability was discovered in cPanel (CVE-2023-29489) affecting versions before 11.109.9999.116. The vulnerability, also known as SEC-669, allows XSS to occur on the cpsrvd error page via an invalid webcall ID. With approximately 1.4 million cPanel installations exposed on the internet, this vulnerability affects a significant number of websites. The issue was discovered in January 2023 and was fixed by March 2023 (Assetnote Blog, NVD).

The vulnerability exists in the handling of webcall IDs through the /cpanelwebcall/ directory. When an invalid webcall ID is provided, the error message is not properly sanitized before being displayed on the cpsrvd error page. The vulnerability received a CVSS v3.1 base score of 6.1 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue was resolved by adding HTML encoding through the Cpanel::Encoder::Tiny::safehtmlencode_str function (Assetnote Blog, NVD).

The vulnerability allows attackers to execute arbitrary JavaScript pre-authentication on almost every port of a webserver using cPanel in its default setup. Due to Apache's proxy rules, the vulnerability is exploitable even on ports 80 and 443, affecting not only cPanel management ports but also applications running on these ports. An attacker could potentially hijack legitimate users' cPanel sessions and, if successful, upload web shells to gain command execution (Assetnote Blog).

The vulnerability has been patched in the following cPanel versions: 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31. Users are advised to upgrade to these versions or newer. Many cPanel installations have auto-update functionality enabled, which provides automatic protection. However, installations without auto-update enabled remain vulnerable and require manual updating (Assetnote Blog).