cPanel last week released patches to address three vulnerabilities in cPanel & WebHost Manager (WHM), including one leading to two-factor authentication bypass.
A suite of tools built for Linux, cPanel & WHM helps hosting providers and users automate management and web hosting tasks. With over 20 years of web hosting experience, cPanel claims servers using cPanel & WHM have launched more than 70 million domains.
Identified by security researchers at Digital Defense, Inc., the 2FA bypass issue could allow attackers to perform brute-force attacks on cPanel & WHM. An attacker with knowledge of or access to valid credentials, the researchers say, could bypass the 2FA protections on an account within minutes.
The vulnerability, which has a CVSS score of 4.3, resulted in an attacker being able to repeatedly submit 2FA codes.
“Failed validation of the two-factor authentication code is now treated as equivalent to a failure of the account’s primary password validation and rate limited by cPHulk,” cPanel explains.
cPanel & WHM builds 11.92.0.2, 11.90.0.17, and 11.86.0.32 were found vulnerable.
The same builds were also found susceptible to URL parameter injection, due to the manner in which URIs to other interfaces were being created.
When creating URIs (by including user-supplied data in URI query parameters), URL encoding and not URI encoding was employed. Thus, users could have been tricked into performing unintended actions.
A third vulnerability addressed last week was a self-XSS issue in the WHM Transfer Tool interface, where error messages were not properly encoded, thus leading to the possible injection of HTML code into some messages. Builds 11.92.0.2 and 11.90.0.17 were found to be vulnerable.
“The cPanel Security Team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public,” cPanel said last week.
Related: 6 Ways Attackers Are Still Bypassing SMS 2-Factor Authentication
Related: Why Not Always Multi-Factor Authentication?

More from Ionut Arghire
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Adobe Inviting Researchers to Private Bug Bounty Program
- Critical Vulnerabilities Found in Faronics Education Software
Latest News
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
