3 critical vulnerabilities in CPanel allow you to take control of databases and dodge 2FA in minutes

Cybersecurity specialists reported the finding of three vulnerabilities in CPanel, a dashboard for managing web hosting servers that provide automation tools and a web page-based graphical interface.

In the first flaw, many cPanel and WHM interfaces create URIs for other interfaces by incorporating user-provided data into the URI query parameters. Several cPanel and WHM interfaces used URL encoding in these parameters instead of URI encoding. Because of this error, a cPanel & WHM user might be tricked into performing arbitrary actions.

As for now, this vulnerability does not have a CVE tracking key or a score according to the Common Vulnerability Scoring System (CVSS).

The second vulnerability reported lies in the multi-factor authentication mechanism, which does not have a brute force attack prevention method. Threat actors could easily gain access to the target system.  

This is a low severity vulnerability that received a score of 3.8/10 and its exploitation would allow malicious hackers to access the affected systems remotely.

Finally, the third flaw exists due to inappropriate disinfection of user input in the WHM Transfer Tool interface. Remote threat actors could trick victims into following specially designed links and running HTML code and arbitrary script in the target user’s browser. 

The flaw received a score of 5.3/10 and its exploitation would allow the theft of confidential information, modification of the interface of a website, the deployment of phishing attacks, among other scenarios.   

Although flaws can be exploited remotely by unauthenticated threat actors, experts have not detected attempts at active exploitation or the existence of malware linked to the attack. 

Updates are now available, so users of vulnerable installations are advised to update as soon as possible.