"The Cpanel and WebHost Manager package allows you two interfaces for web hosting control. The Cpanel interface is a client side interface, which allows your customers to easily control a web hosting account. With the touch of a button, they can add e-mail accounts, access their files, backup their files, setup a shopping cart, and more. The WebHost Manager Interface allows Web Hosting companies to control the accounts on their servers. Through WebHost Manager you can add/remove accounts on a server, park or point domains, control bandwidth, disk space, and more."
Many variables in cPanel are prone to XSS attacks and are not properly
filtered. This could easily lead to code execution inside the victim's
browser using the trust relationship between the browser and the
server.
cPanel supports filtering of HTML and scripts in input variables but
according to cPanel the feature was not enabled in order to support
third-party themes.
A new version is available which
is
immune to the vulnerabilities.
Vulnerable Systems:
cPanel version 9.1.0-R85
Immune Systems:
cPanel 2004 EDGE release