Main Vulnerability Database Vulnerabilities #VU40

Privilege escalation via show_template.stor - #VU40

Published: June 28, 2016

Vulnerability identifier: #VU40

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor:

Affected software:

Detailed vulnerability description

The vulnerability allows a remote authenticated attacker to execute arbitrary code with escalated privileges.

The vulnerability exists due to improper filtration of input data in cpsrvd, when handling document parameters. A remote authenticated attacker with demo access can pass specially crafted code to show_template.stor script and execute it on the system under demo account.

Successful exploitation of this vulnerability may result in execution of arbitrary OS commands.

Remediation

Install the latest version 11.56.0.15, 11.54.0.24, 11.52.6.1 or 11.50.6.2.

Sources

http://news.cpanel.com/cpanel-tsr-2016-0003-full-disclosure/

Privilege escalation via show_template.stor - #VU40

Detailed vulnerability description

Remediation

Sources

Please verify you're human