Agna Zilchi has discovered a vulnerability in WHM AutoPilot, which can be exploited by malicious users to bypass certain security restrictions.
The vulnerability is caused due to an input validation error in "cancel_account.php" where the "c" parameter is not properly verified. This can be exploited to request cancelling of hosts for other accounts.
Successful exploitation requires that the administrator approves the cancel request.
The vulnerability has been confirmed in version 2.5.30 and has also been reported in version 2.5.20 and prior. Other versions may also be affected.
Solution: Edit the source code to ensure that users can only perform requests for their own accounts.
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org