Main Vulnerability Database Vulnerabilities #VU37

Demo account arbitrary code execution - #VU37

Published: June 28, 2016

Vulnerability identifier: #VU37

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor:

Affected software:

Detailed vulnerability description

The vulnerability allows remote authenticated user to execute arbitrary Perl code.

The vulnerability exists due to an error in the ajax_maketext_syntax_util.pl file when handling input data passed from untrusted sources. A remote authenticated attacker with demo account can pass certain maketext functions to vulnerable script and execute arbitrary Perl code on the target system.

Successful exploitation of this vulnerability will allow execution of arbitrary Perl code and may lead to system compromise.

Remediation

Install the latest version 11.56.0.15, 11.54.0.24, 11.52.6.1 or 11.50.6.2.

Sources

http://news.cpanel.com/cpanel-tsr-2016-0003-full-disclosure/

Demo account arbitrary code execution - #VU37

Detailed vulnerability description

Remediation

Sources

Please verify you're human