Description
scripts/wwwacct in cPanel 11.18.6 STABLE and earlier and 11.23.1 CURRENT and earlier allows remote authenticated users with reseller privileges to execute arbitrary code via shell metacharacters in the Email address field (aka Email text box). NOTE: the vendor disputes this, stating "I'm unable to reproduce such an issue on multiple servers running different versions of cPanel.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by Ali Jasbi · textwebappsphp
https://www.exploit-db.com/exploits/31807
References (5)
Core 5
Core References
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/492223/100/0/threaded
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/492259/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id?1020042
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/42529
Exploit vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/29277
Scores
EPSS
0.0551
EPSS Percentile
90.3%
Details
CWE
CWE-94
Status
published
Products (2)
cpanel/cpanel
< 11.23.1
cpanel/cpanel
< 11.8.6
Published
May 28, 2008
Tracked Since
Feb 18, 2026