56 matches found
CVE-2017-18397
cPanel before 68.0.15 does not preserve permissions for local backup transport SEC-330...
Authentication flaw
cPanel before 68.0.27 allows self XSS in cPanel Backup Restoration SEC-383...
CVE-2018-20925
cPanel before 70.0.23 allows local privilege escalation via the WHM Legacy Language File Upload interface SEC-379...
CVE-2016-10846
cPanel before 11.54.0.4 allows arbitrary file-chown and file-chmod operations during Roundcube database conversions SEC-79...
CVE-2018-20917
cPanel before 70.0.23 allows any user to disable Solr SEC-371...
CVE-2018-20922
cPanel before 70.0.23 allows stored XSS via a WHM DNS Cleanup action SEC-376...
CVE-2018-20904
cPanel before 71.9980.37 allows attackers to make API calls that bypass the cron feature restriction SEC-427...
CVE-2018-20901
cPanel before 71.9980.37 allows Remote-Stored XSS in WHM Save Theme Interface SEC-400...
Command injection
cPanel before 70.0.23 allows demo accounts to execute code via awstats SEC-362...
CVE-2018-20922
cPanel before 70.0.23 allows stored XSS via a WHM DNS Cleanup action SEC-376...
Code injection
cPanel before 74.0.8 allows demo accounts to execute arbitrary code via the Fileman::viewfile API SEC-444...
Cross site scripting
cPanel before 74.0.8 allows self XSS in the Site Software Moderation interface SEC-434...
CVE-2018-20889
cPanel before 74.0.0 allows certain file-read operations via password file caching SEC-425...
CVE-2019-14390
cPanel before 82.0.2 has stored XSS in the WHM Modify Account interface SEC-512...
aria-cpanel.txt
Aria-Security Team Advisory Original Advisory: http://www.aria-security.com/forum/showthread.php?t=68 ----------------------------------------------------------- Vulnerability: cPanel Version 11 Pops.Html Cross-Site Scripting PoC: http://target:2082/mail/pops.html?domain=XSS Contact:...
cPanel 10 - 'newuser.html' Multiple Cross-Site Scripting Vulnerabilities
source: https://www.securityfocus.com/bid/21027/info cPanel is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to have arbitrary script code execute in the browser of an unsuspecting user in th...