cPanel before 82.0.15 Insufficient Session Expiration Vulnerability

Summary

When a cPanel user’s account was renamed or terminated, the API tokens belonging to the account were left installed on the system under the old name. Any new accounts created with the same name would allow access to the previous account’s API tokens.

Credit:

The information has been provided by Vendor

The original article can be found at:https://news.cpanel.com/cpanel-tsr-2019-0005-full-disclosure/


Details

cPanel before 82.0.15 allows API token credentials to persist after an account has been renamed or terminated (SEC-517).

Vulnerable Systems:

cPanel before 82.0.15 

CVE Information:

CVE-2019-17375

Disclosure Timeline:
Published Date:10/09/2019