CVE-2008-2070

Cpanel - XSS

Title source: rule

Description

The WHM interface 11.15.0 for cPanel 11.18 before 11.18.4 and 11.22 before 11.22.3 allows remote attackers to bypass XSS protection and inject arbitrary script or HTML via repeated, improperly-ordered "<" and ">" characters in the (1) issue parameter to scripts2/knowlegebase, (2) user parameter to scripts2/changeip, (3) search parameter to scripts2/listaccts, and other unspecified vectors.

Exploits (3)

exploitdb WRITEUP VERIFIED

by Matteo Carli · textwebappsphp

https://www.exploit-db.com/exploits/31772

View Code ZIP pw:eip

exploitdb WRITEUP VERIFIED

by Matteo Carli · textwebappsphp

https://www.exploit-db.com/exploits/31771

View Code ZIP pw:eip

exploitdb WRITEUP VERIFIED

by Matteo Carli · textwebappsphp

https://www.exploit-db.com/exploits/31773

View Code ZIP pw:eip

References (8)

[Various Sources] http://changelog.cpanel.net/?revision=0%3Btree=%3Btreeview=%3Bshow=html%3Bpp=25%3Bte=1314%3Bpg=2

[Mailing List] http://lists.grok.org.uk/pipermail/full-disclosure/2008-May/062197.html

[Exploit] http://www.securityfocus.com/bid/29125

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/42305

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/491864/100/0/threaded

[Third Party Advisory] http://secunia.com/advisories/30166

[Third Party Advisory] http://www.vupen.com/english/advisories/2008/1522/references

[Third Party Advisory] http://securityreason.com/securityalert/3866

Scores

EPSS 0.0096

EPSS Percentile 76.2%

Classification

CWE

CWE-79

Status draft

Affected Products (7)

cpanel/cpanel

cpanel/cpanel

cpanel/cpanel

cpanel/cpanel

cpanel/cpanel

cpanel/cpanel

cpanel/cpanel

Timeline

Published May 12, 2008

Tracked Since Feb 18, 2026