CPanel: Script Insertion and Cross-Site Scripting Vulnerability

Even though secunia rated this as a “less critical” vulnerability, this error is not fixed in the public builds. Successful exploitation requires that the “XSRF protection” within the WHM’s Tweak Settings under the Security section is disabled.

SECUNIA ADVISORY: SA33990

The vulnerabilities are reported and explained by a security researcher in his blog at skeptikal.org”. It is better to explain it through the site itself

1: The .contactemail  File in the user’s home directory

You can read more at http://skeptikal.org/index.php?entry=entry080805-140000

2: Passing input via /scripts2/confdkillproc

You can read more at  http://skeptikal.org/index.php?entry=entry080809-180834

This has been fixed in the Edge and Current builds version 11.24.4 and 11.24.7 with a build ID greater than 34195. http://layer2.cpanel.net/