Vulnerabilities > CVE-2004-2308 - Cross-Site Scripting vulnerability in cPanel dir Parameter
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
Cross-site scripting (XSS) vulnerability in cPanel 9.1.0 and possibly earlier allows remote attackers to inject arbitrary web script or HTML via the dir parameter in dohtaccess.html.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 12 |
Exploit-Db
| description | cPanel 5/6/7/8/9 dir Parameter Cross-Site Scripting Vulnerability. CVE-2004-2308. Webapps exploit for cgi platform |
| id | EDB-ID:23806 |
| last seen | 2016-02-02 |
| modified | 2004-03-12 |
| published | 2004-03-12 |
| reporter | Fable |
| source | https://www.exploit-db.com/download/23806/ |
| title | cPanel 5/6/7/8/9 dir Parameter Cross-Site Scripting Vulnerability |
Nessus
| NASL family | CGI abuses |
| NASL id | CPANEL_LOGIN_CMD_EXEC.NASL |
| description | The version of cPanel installed on the remote host is version 9.1.0 (or earlier) and thus reportedly affected by multiple issues: - The dohtaccess.html script fails to sanitize input supplied by a user and is affected by a cross-site scripting vulnerability. (CVE-2004-2308) - Both the Login Page and resetpass functionality fail to sanitize user input and can be manipulated to execute arbitrary commands (CVE-2004-1769 & CVE-2004-1770). For example, the following URL demonstrates the id command being executed: http://www.example.com:2082/login/?user=| |
| last seen | 2020-06-01 |
| modified | 2020-06-02 |
| plugin id | 12097 |
| published | 2004-03-14 |
| reporter | This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. |
| source | https://www.tenable.com/plugins/nessus/12097 |
| title | cPanel <= 9.1.0 Multiple Vulnerabilities |