Login Sign Up

CVE-2020-29472

9.8 CRITICAL
Remote Code Execution SQL Injection Authentication Bypass

📋 TL;DR

CVE-2020-29472 is a SQL injection vulnerability in EGavilan Media's Under Construction page with cPanel 1.0 plugin. Attackers can exploit this to gain admin panel access and execute arbitrary code remotely. Organizations using this specific plugin version are affected.

💻 Affected Systems

Products:
  • EGavilan Media Under Construction page with cPanel
Versions: 1.0
Operating Systems: Any OS running cPanel with this plugin
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the specific plugin to be installed and active in cPanel.

📦 What is this software?

Under Construction Page With Cpanel by Egavilanmedia

View all CVEs affecting Under Construction Page With Cpanel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Unauthorized admin access leading to website defacement, data exfiltration, or malware injection.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring detecting exploitation attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code is available, making this easily exploitable by attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.1 or later

Vendor Advisory: https://www.egavilanmedia.com/security-advisory-cve-2020-29472

Restart Required: No

Instructions:

1. Log into cPanel. 2. Navigate to plugin management. 3. Update 'Under Construction page with cPanel' to version 1.0.1 or later. 4. Verify update completes successfully.

🔧 Temporary Workarounds

Disable vulnerable plugin

linux

Temporarily disable the Under Construction page plugin until patched

cpanel-plugin-manager --disable under-construction-cpanel

Web Application Firewall rule

all

Block SQL injection patterns targeting the vulnerable endpoint

Add WAF rule: deny requests containing SQL injection patterns to /cpanel/under-construction endpoint

🧯 If You Can't Patch

  • Remove the plugin completely from all affected systems
  • Implement strict network segmentation to isolate affected systems from critical assets

🔍 How to Verify

Check if Vulnerable:

Check cPanel plugin list for 'Under Construction page with cPanel' version 1.0

Check Version:

cpanel-plugin-manager --list | grep 'under-construction-cpanel'

Verify Fix Applied:

Verify plugin version shows 1.0.1 or later in cPanel plugin manager

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in web server logs
  • Multiple failed login attempts followed by successful admin access
  • Requests to /cpanel/under-construction with SQL syntax

Network Indicators:

  • Outbound connections from cPanel server to unknown IPs
  • Unusual database query patterns

SIEM Query:

source="web_logs" AND uri="/cpanel/under-construction" AND (query CONTAINS "UNION" OR query CONTAINS "SELECT *" OR query CONTAINS "--")

📊 Metadata

CVE ID: CVE-2020-29472
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: December 24, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-29472, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)