The WHM/cPanel XML locale file uploads allowed the processing of external XML entities. This would permit resellers with the ‘locale-edit’ ACL to read any files on the system, make arbitrary network connections, and can also DoS the server with the billion laughs attack.
Fixed Version:
This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23
cPanel rewarded me $1000 for reporting this vulnerability 🙂
External XML entity injection in WHM locale upload interface.
Great Mr Prajith!!!