cPanel 11.15.0-RELEASE_17853 - XSS in /scripts2/top


/scripts2/top displays process information in WHM about processes using the most CPU, and is available only to root. The following information about each process is displayed: pid, owner, priority, CPU and mem usage, and the command.

If a local user ran a command with a name set to a javascript string, root's browser could inadvertently issue a request to WHM upon clicking the "Show Current CPU Usage" link, assuming they have javascript enabled.


Local users could potentially cause requests to be issued to WHM, by root. This includes changing the root password of the server, and changing the resolvers in /etc/resolv.conf.