Research Notes
April 26, 2023

Advisory: Reflected Cross-Site Scripting in cPanel (CVE-2023-29489)

No items found.
Creative Commons license


A reflected cross-site scripting vulnerability can be exploited without any authentication in affected versions of cPanel. The XSS vulnerability is exploitable regardless of whether or not the cPanel management ports (2080, 2082, 2083, 2086) are exposed externally. Websites on port 80 and 443 are also vulnerable to the cross-site scripting vulnerability if they are being managed by cPanel.

An attacker can escalate this cross-site scripting vulnerability to command execution, if targeting a logged in cPanel user.


It is possible to execute arbitrary JavaScript, pre-authentication in the context of a victim, on almost every port of a webserver using cPanel within its default setup.

Even on port 80 and 443, it is possible to reach the <span class="code_single-line">/cpanelwebcall/</span> directory as it is being proxied to the cPanel management ports by Apache.

Because of this, an attacker can not only attack the management ports of cPanel but also the applications that are running on port 80 and 443.

Due to the fact that the cPanel management ports are vulnerable to this cross-site scripting attack, an attacker could leverage this vulnerability to hijack a legitimate user’s cPanel session.

Once acting on behalf of an authenticated user of cPanel, it is usually trivial to upload a web shell and gain command execution.

Affected Software

The following versions are affected by this cross-site scripting vulnerability:

  • < 11.109.9999.116
  • <
  • <
  • <

Product Description

cPanel is a web hosting control panel software that is deployed widely across the internet.


This vulnerability can be remediated by upgrading to any of the following cPanel versions or above:

  • 11.109.9999.116

cPanel’s official advisory can be found here.

Blog Post

The blog post detailing the steps taken for the discovery of this vulnerability can be found here.


Shubham Shah - Assetnote Security Research Team


The timeline for this disclosure process can be found below:

  • Jan 23rd, 2023: Disclosure of the XSS vulnerability to cPanel via <span class="code_single-line"></span>.
  • Jan 23rd, 2023: Confirmation from cPanel that they have received the vulnerability and are investigating further.
  • Feb 12th, 2023: Request for updates from Assetnote side
  • Feb 13th, 2023: Vulnerability confirmed by cPanel and assigned <span class="code_single-line">SEC-669</span>. Targeted security fix release to follow in a few weeks.
  • March 1st, 2023: Vulnerability fixed and public disclosure released on cPanel website.
Written by:
Shubham Shah
Your subscription could not be saved. Please try again.
Your subscription has been successful.

Get updates on our research

Subscribe to our newsletter and stay updated on the newest research, security advisories, and more!

Ready to get started?

Get on a call with our team and learn how Assetnote can change the way you secure your attack surface. We'll set you up with a trial instance so you can see the impact for yourself.