Information exposure in Branding API - #VU41
Published: June 28, 2016
Vulnerability identifier: #VU41
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor:
Affected software:
Detailed vulnerability description
The vulnerability allows a remote authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper validation of brandingpkg argument in cPanel API 1 Branding calls. A remote authenticated user with Webmail account can read arbitrary files owned by cPanel account
Successful exploitation of this vulnerability may allow an attacker to gain access to potentially sensitive information.
Remediation
Install the latest version 11.56.0.15, 11.54.0.24, 11.52.6.1 or 11.50.6.2.