#VU4873 Arbitrary file disclosure in cPanel
Published: January 18, 2017
Vulnerability identifier: #VU4873
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
cPanel
cPanel
Software vendor:
cPanel, Inc
cPanel, Inc
Description
The vulnerability allows a remote attacker to read arbitrary files on the system.
The vulnerability exists due to an error when processing valiases for users. A remote authenticated user can create valias, which includes other files, and read them with privileges of Exim system user.
Successful exploitation of the vulnerability may allow an attacker to read arbitrary files on the system.
Remediation
This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
62.0.4
60.0.35
58.0.43