SEC-596

Invalid UTF-8 characters could trigger cPanel to use the Legacy Login page. This page did not adequately encode output. This could allow for an attacker to inject arbitrary JavaScript code into the rendered page.

cpanel disclosure

Proof of concept

https://[target]:2083/login?user=sth%22+onfocus=%22alert()%22+id=%22xss%22+%22%ff#xss

request & response