Security researcher Christy Philip Mathew has identified cross-site scripting (XSS) vulnerabilities in cPanel & WHM 11.34, the latest version of the popular web hosting control panel.
Security holes have been found on the Basic cPanel & WHM Setup page, and on a couple of webpages of the X3 theme demo.
The expert has released a YouTube video along with a detailed proof-of-concept which he has published on The Hacker News.
He told me in an email that the vulnerability had been reported to CERT, but not the vendor itself.
Mathew is not the only researcher to identify XSS flaws in cPanel. Earlier this week, Rafay Baloch discovered similar vulnerabilities.
“The vulnerability can be easily exploited and can be used to steal cookies, perform phishing attacks and other various attacks compromising the security of a user,” the expert wrote in the advisory he published.