Skip to end of metadata
Go to start of metadata

Vulnerability when Hosting Control Panel end-users are downloading files using the CDP Web Interface.


R1Soft rates this vulnerability Critical.

Risk Assessment

We have identified a security flaw in Hosting Control Panel end-user file download which may affect CDP Enterprise & Advanced Edition instances in the public environment. The vulnerability allows a control panel end-user to download files outside of their home directory that they do not have privileges to.

Risk Mitigation

You should immediately upgrade to CDP 3.12.3 or later OR disable all configured hosting control panel instances on your CDP Policies. Disabling the configured hosting control panel instances on your CDP Policies will prevent a control panel end-user from exploiting the vulnerability.


CDP Server Actions:
Login to the CDP Server web interface and to a hosting control panel instance using the credentials of the control panel end-user. Then use the download to zip or tar archive functionality.

Affected CDP Versions:
CDP Enterprise/Advanced Editions: 3.12.0, 3.12.1, 3.12.2


This issue has been fixed in CDP 3.12.3. Which you can download from the customer download portal

Important Note
Only the CDP Server needs to be upgraded to 3.12.3  No agent update is required for the fix.
See the release notes.
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.