CVE-2023-29489
published 2023-04-27CVE-2023-29489: An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are…
PriorityP356medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
65.53%
99.2th percentile
An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cpanel | cpanel | < 11.102.0.31 | 11.102.0.31 |
| cpanel | cpanel | >= 11.104.0 < 11.106.0.18 | 11.106.0.18 |
| cpanel | cpanel | >= 11.108.0 < 11.108.0.13 | 11.108.0.13 |
| cpanel | cpanel | >= 11.109.0 < 11.109.9999.116 | 11.109.9999.116 |
Detection & IOCsextracted from sources · hover to see the quote
path/cpanelwebcall/
url{{BaseURL}}/cpanelwebcall/<>
- →HTTP response status 400 combined with body containing both 'aaaaaaaaaaaa' and 'Invalid webcall ID:' is indicative of a CVE-2023-29489 probe/exploit attempt against the cpsrvd error page.
- →Exploit payloads target the /cpanelwebcall/ URI path with an injected XSS payload (e.g., <img src=x onerror=...>) as the webcall ID; the onerror= string in the URI is a key detection signal.
- →The vulnerability exists on the cpsrvd error page triggered by an invalid webcall ID; the XSS payload is reflected in the 'Invalid webcall ID:' error message body. ↗
- ·The vulnerability is only present in unpatched cPanel versions; fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31. Systems with auto-update disabled remain exposed. ↗
- ·The Emerging Threats Snort rule (sid:2045629) is classified as 'Informational' severity with 'Medium' confidence; tune accordingly to reduce false positives in environments with legitimate cPanel webcall traffic.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT Suspected cPanel XSS Exploit Activity (CVE-2023-29489)
suricata·2023-05-10·CVSS 5.3
CVE-2023-29489 [MEDIUM] ET EXPLOIT Suspected cPanel XSS Exploit Activity (CVE-2023-29489)
ET EXPLOIT Suspected cPanel XSS Exploit Activity (CVE-2023-29489)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Suspected cPanel XSS Exploit Activity (CVE-2023-29489)"; flow:established,to_server; http.uri; content:"/cpanelwebcall/"; nocase; fast_pattern; startswith; content:"onerror=|22|"; distance:0; http.header_names; to_lowercase; content:!"|0d 0a|referer|0d 0a|"; reference:url,blog.assetnote.io/2023/04/26/xss-million-websites-cpanel/; reference:url,forums.cpanel.net/threads/cpanel-tsr-2023-0001-full-disclosure.708949/; reference:cve,2023-29489; classtype:attempted-admin; sid:2045629; rev:2; metadata:attack_target Web_Server, created_at 2023_05_10, cve CVE_2023_29489, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Information
Nuclei
cPanel < 11.109.9999.116 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2023-29489 [MEDIUM] cPanel < 11.109.9999.116 - Cross-Site Scripting
cPanel aaaaaaaaaaaa'
- '{{BaseURL}}/cpanelwebcall/<>'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'aaaaaaaaaaaa'
- 'Invalid webcall ID:'
condition: and
- type: status
status:
- 400
# digest: 4b0a00483046022100c5d0400255fcd7b88c0a7330a7a7a51169b503f5b5a8ffb699c2971dc273d574022100b1a7a3ae29d65c64123a20b7a5d5115eb26baaa28d6e02b4a941a2c85811e3cf:922c64590222798bb761d5b6d8e72950
Wiz
CVE-2025-66429 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-66429 [HIGH] CVE-2025-66429 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66429 :
cPanel vulnerability analysis and mitigation
An issue was discovered in cPanel 110 through 132. A directory traversal vulnerability within the Team Manager API allows for overwrite of an arbitrary file. This can allow for privilege escalation to the root user.
Source : NVD
## 8.8
Score
Published December 11, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
cPanel
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.8
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
cpe:2.3:a:cpanel:cpanel
Sources
Linux Severity HIGH Has Fix Added at: Dec 16, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focu
HackerOne
CVE-2023-29489 XSS in cpanel at [www.███] - Securado, Oman
hackerone·2023-06-09·CVSS 5.3
CVE-2023-29489 [MEDIUM] CVE-2023-29489 XSS in cpanel at [www.███] - Securado, Oman
CVE-2023-29489 XSS in cpanel at [www.███] - Securado, Oman
**Description:**
There is a cross-site scripting vulnerability found on cpanel application hosted on the website. Cpanel is not updated because auto update feature is disabled.
## Impact
An attacker can steal cookies or hijack browser session.
## System Host(s)
www.██████
## Affected Product(s) and Version(s)
## CVE Numbers
## Steps to Reproduce
1. Go to `http://www.████/cpanelwebcall/%3Cimg%20src=x%20onerror=%22prompt(1)%22%3Eaaaaaaaaaaaa`
2. You will see XSS popup message
## Suggested Mitigation/Remediation Actions
Enable autoupdate feature and update cpanel
2023-04-27
Published