CVE-2006-0573
Description
Multiple cross-site scripting (XSS) vulnerabilies in cPanel 10 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to (a) editquota.html or (b) dodelpop.html; (2) showtree parameter to (c) diskusage.html; or the (3) mon, (4) year, (5) target, or (6) domain parameter to (d) stats/detailbw.html.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
14cpe:2.3:a:cpanel:cpanel:10:*:*:*:*:*:*:*+ 13 more
- cpe:2.3:a:cpanel:cpanel:10:*:*:*:*:*:*:*
- cpe:2.3:a:cpanel:cpanel:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:cpanel:cpanel:5.3:*:*:*:*:*:*:*
- cpe:2.3:a:cpanel:cpanel:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:cpanel:cpanel:6.2:*:*:*:*:*:*:*
- cpe:2.3:a:cpanel:cpanel:6.4:*:*:*:*:*:*:*
- cpe:2.3:a:cpanel:cpanel:6.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:cpanel:cpanel:6.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:cpanel:cpanel:6.4.2_stable_48:*:*:*:*:*:*:*
- cpe:2.3:a:cpanel:cpanel:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:cpanel:cpanel:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:cpanel:cpanel:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:cpanel:cpanel:9.1:*:*:*:*:*:*:*
- (no CPE)range: <= 10
Patches
Vulnerability mechanics
Root cause
"Failure to sanitize user-supplied input in the `email`, `showtree`, `mon`, `year`, `target`, and `domain` parameters before reflecting them in HTTP responses."
Attack vector
An unauthenticated remote attacker can inject arbitrary HTML or JavaScript by crafting a URL that includes malicious script in the `email`, `showtree`, `mon`, `year`, `target`, or `domain` parameters [ref_id=1]. The injected payload is reflected back to the victim's browser without sanitization, enabling cross-site scripting (XSS) attacks [ref_id=1]. The attacker must trick an authenticated cPanel user into visiting the crafted URL, typically via a phishing link or by embedding the link in a third-party site [ref_id=1]. Successful exploitation allows cookie theft, session hijacking, and full compromise of the victim's cPanel account [ref_id=1].
Affected code
The vulnerable scripts are `editquota.html`, `dodelpop.html`, `diskusage.html`, and `stats/detailbw.html` within the `/frontend/xcontroller/` path of cPanel 10 and earlier [ref_id=1]. The advisory does not specify the exact server-side handler or function name responsible for processing these templates.
What the fix does
The advisory does not include a patch or vendor fix [ref_id=1]. The recommended remediation is to properly sanitize all user-supplied input before reflecting it in HTTP responses, specifically the `email`, `showtree`, `mon`, `year`, `target`, and `domain` parameters [ref_id=1]. No official patch has been published in the provided references.
Preconditions
- authThe victim must be logged into cPanel (authentication cookie present)
- inputThe attacker must trick the victim into visiting a crafted URL (e.g., via phishing or embedding in a third-party site)
- networkcPanel must be accessible over the network on ports 2082 or 2083
Reproduction
1. Access a cPanel instance (version 10 or earlier) on port 2082 or 2083. 2. Visit the following URL, replacing `vulnerable-site.com` with the target: `http://vulnerable-site.com:2082/frontend/xcontroller/editquota.html?email=<script>alert('vul')</script>&domain=` [ref_id=1]. 3. Observe that the JavaScript alert executes in the browser, confirming the XSS vulnerability. 4. Similar PoC URLs exist for `dodelpop.html`, `diskusage.html`, and `stats/detailbw.html` with different parameters [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- secunia.com/advisories/18695nvdExploitVendor Advisory
- archives.neohapsis.com/archives/fulldisclosure/2006-02/0025.htmlnvdVendor Advisory
- marc.infonvd
- www.osvdb.org/22936nvd
- www.osvdb.org/22937nvd
- www.osvdb.org/22938nvd
- www.osvdb.org/22939nvd
- www.vupen.com/english/advisories/2006/0433nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/24468nvd
News mentions
0No linked articles in our index yet.