cbcvebase.
CVE-2023-29489
published 2023-04-27

CVE-2023-29489: An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are…

PriorityP356medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
65.53%
99.2th percentile
An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31.

Affected

4 ranges
VendorProductVersion rangeFixed in
cpanelcpanel< 11.102.0.3111.102.0.31
cpanelcpanel>= 11.104.0 < 11.106.0.1811.106.0.18
cpanelcpanel>= 11.108.0 < 11.108.0.1311.108.0.13
cpanelcpanel>= 11.109.0 < 11.109.9999.11611.109.9999.116

Detection & IOCsextracted from sources · hover to see the quote

url/cpanelwebcall/<img src=x onerror="prompt(1)">aaaaaaaaaaaa
path/cpanelwebcall/
url{{BaseURL}}/cpanelwebcall/<>
  • HTTP response status 400 combined with body containing both 'aaaaaaaaaaaa' and 'Invalid webcall ID:' is indicative of a CVE-2023-29489 probe/exploit attempt against the cpsrvd error page.
  • Exploit payloads target the /cpanelwebcall/ URI path with an injected XSS payload (e.g., <img src=x onerror=...>) as the webcall ID; the onerror= string in the URI is a key detection signal.
  • The vulnerability exists on the cpsrvd error page triggered by an invalid webcall ID; the XSS payload is reflected in the 'Invalid webcall ID:' error message body.
  • ·The vulnerability is only present in unpatched cPanel versions; fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31. Systems with auto-update disabled remain exposed.
  • ·The Emerging Threats Snort rule (sid:2045629) is classified as 'Informational' severity with 'Medium' confidence; tune accordingly to reduce false positives in environments with legitimate cPanel webcall traffic.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.