CPANEL-34212
Summary
Live Transfer causes email accounts to not require a password on the source server.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.6 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Description
Previously, when Exim asked for authentication data, cpdoveauthd would send Exim the response for proxying without a password.
Since Exim ignores “proxy_maybe”, that caused Exim to forgo SMTP authentication in those cases.
Solution
This issue is resolved in the following build:
11.90.0.13
For the PGP-signed message, please see TSR-2020-0006.full.disclosure.signed
Summary
Live Transfer causes email accounts to not require a password on the source server.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.6 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Description
Previously, when Exim asked for authentication data, cpdoveauthd would send Exim the response for proxying without a password.
Since Exim ignores “proxy_maybe”, that caused Exim to forgo SMTP authentication in those cases.
Solution
This issue is resolved in the following build:
11.90.0.13
For the PGP-signed message, please see TSR-2020-0006.full.disclosure.signed
