Arbitrary file disclosure in cPanel - #VU4873
Published: January 18, 2017
Vulnerability identifier: #VU4873
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: cPanel, Inc
Affected software:
cPanel
cPanel
Detailed vulnerability description
The vulnerability allows a remote attacker to read arbitrary files on the system.
The vulnerability exists due to an error when processing valiases for users. A remote authenticated user can create valias, which includes other files, and read them with privileges of Exim system user.
Successful exploitation of the vulnerability may allow an attacker to read arbitrary files on the system.
Remediation
This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
62.0.4
60.0.35
58.0.43