VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 31, 2004· Updated Apr 16, 2026

CVE-2004-2308

CVE-2004-2308

Description

cPanel 9.1.0 and earlier has an XSS vulnerability in dohtaccess.html via the dir parameter, allowing script injection.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

cPanel 9.1.0 and earlier has an XSS vulnerability in dohtaccess.html via the dir parameter, allowing script injection.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in cPanel versions 9.1.0 and possibly earlier. The flaw resides in the dohtaccess.html page, specifically within the handling of the dir parameter, which fails to adequately sanitize user-supplied input, allowing for the injection of arbitrary web script or HTML [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL that includes script or HTML code within the dir parameter of the dohtaccess.html page. For exploitation to be successful, the victim typically needs to be authenticated with valid credentials and interact with the crafted URL [1]. An example payload is http://www.example.com:2082/frontend/x/htaccess/dohtaccess.html?dir=> [1].

Impact

Successful exploitation allows an attacker to execute arbitrary HTML or script code within the context of the victim's browser. This can lead to the theft of cookie-based authentication credentials and potentially other malicious actions against the user [1].

Mitigation

No specific patched version or release date is mentioned in the available references. Users are advised to consult cPanel documentation or security advisories for information on available patches or workarounds. This vulnerability is not listed as being actively exploited in the wild or part of known exploited vulnerabilities.

References
  1. cPanel 5/6/7/8/9 - 'dir' Cross-Site Scripting

AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

13
  • CPanel/Cpanel13 versions
    cpe:2.3:a:cpanel:cpanel:5.0:*:*:*:*:*:*:*+ 12 more
    • cpe:2.3:a:cpanel:cpanel:5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cpanel:cpanel:5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:cpanel:cpanel:6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cpanel:cpanel:6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cpanel:cpanel:6.4:*:*:*:*:*:*:*
    • cpe:2.3:a:cpanel:cpanel:6.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cpanel:cpanel:6.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cpanel:cpanel:6.4.2_stable_48:*:*:*:*:*:*:*
    • cpe:2.3:a:cpanel:cpanel:7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cpanel:cpanel:8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cpanel:cpanel:9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cpanel:cpanel:9.1:*:*:*:*:*:*:*
    • (no CPE)range: <=9.1.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.