Open redirect in cPanel
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2017-5614 |
| CWE-ID | CWE-601 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
cPanel Web applications / Remote management & hosting panels |
| Vendor | cPanel, Inc |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Open redirect
EUVDB-ID: #VU31443
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-5614
CWE-ID:
CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Open redirect vulnerability in cgiemail and cgiecho allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the (1) success or (2) failure parameter.
MitigationInstall update from vendor's website.
Vulnerable software versionscPanel: 11.60.0.3 - 11.60.0.34
CPE2.3- cpe:2.3:a:cpanel:cpanel:11.60.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:cpanel:cpanel:11.60.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:cpanel:cpanel:11.60.0.5:*:*:*:*:*:*:*
https://www.openwall.com/lists/oss-security/2017/01/28/8
https://www.securityfocus.com/bid/95870
https://news.cpanel.com/tsr-2017-0001-full-disclosure/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
