Cpanel Security Vulnerabilities

CVE-2016-10779

cPanel before 60.0.25 allows stored XSS in api1_listautoresponders...

CVE-2016-10776

cPanel before 60.0.25 allows stored XSS during the homedir removal phase of WHM Account termination...

CVE-2016-10780

cPanel before 60.0.25 allows stored XSS in the ftp_sessions API...

CVE-2016-10784

cPanel before 60.0.25 allows self XSS in the alias upload interface...

CVE-2017-18482

cPanel before 62.0.4 allows resellers to use the WHM enqueue_transfer_item API for queueing non-rearrange modules...

CVE-2017-18481

cPanel before 62.0.4 allows stored XSS in the WHM Account Suspension List interface...

CVE-2017-18477

In cPanel before 62.0.4, Exim transports could execute in the context of the nobody account...

CVE-2017-18480

cPanel before 62.0.4 does not enforce account ownership for has_mycnf_for_cpuser WHM API calls...

CVE-2017-18479

In cPanel before 62.0.4, WHM SSL certificate generation uses an unreserved e-mail address...

CVE-2017-18478

In cPanel before 62.0.4 incorrect ACL checks could occur in xml-api for Rearrange Account actions...

CVE-2017-18476

Leech Protect in cPanel before 62.0.4 does not protect certain directories...

CVE-2017-18474

cPanel before 62.0.4 allows arbitrary file-read operations via Exim valiases...

CVE-2017-18473

cPanel before 62.0.4 allows self XSS on the webmail Password and Security page...

CVE-2017-18475

In cPanel before 62.0.4, Exim piped filters ran in the context of an incorrect user account when delivering to a system user...

CVE-2016-10768

cPanel before 60.0.25 allows file-overwrite operations during preparation for MySQL upgrades...

CVE-2016-10772

cPanel before 60.0.25 does not enforce feature-list restrictions when calling the multilang adminbin...

CVE-2016-10773

cPanel before 60.0.25 allows format-string injection in exception-message handling...

CVE-2016-10775

cPanel before 60.0.25 allows arbitrary file-chown operations via reassign_post_terminate_cruft...

CVE-2017-18469

cPanel before 62.0.17 allows demo accounts to execute code via an NVData_fetchinc API call...

CVE-2016-10767

cPanel before 60.0.25 allows stored XSS in the WHM Repair Mailbox Permissions interface...

CVE-2016-10771

cPanel before 60.0.25 allows file-create and file-chmod operations during ModSecurity Audit logfile processing...

CVE-2016-10774

cPanel before 60.0.25 allows self XSS in the tail_ea4_migration.cgi interface...

CVE-2017-18471

cPanel before 62.0.4 allows self XSS on the paper_lantern password-change screen...

CVE-2017-18472

cPanel before 62.0.4 allows reflected XSS in reset-password interfaces...

CVE-2016-10770

cPanel before 60.0.25 allows arbitrary file-overwrite operations during a Roundcube update...

CVE-2016-10769

cPanel before 60.0.25 allows an open redirect via /cgi-sys/FormMail-clone.cgi...

CVE-2017-18470

cPanel before 62.0.4 has a fixed password for the Munin MySQL test account...

CVE-2017-18464

cPanel before 62.0.17 allows arbitrary file-overwrite operations via the WHM Zone Template editor...

CVE-2017-18462

cPanel before 62.0.17 allows a CPHulk one-day ban bypass when IP based protection is enabled...

CVE-2017-18465

cPanel before 62.0.17 does not have a sufficient list of reserved usernames...

CVE-2017-18466

cPanel before 62.0.17 does not properly recognize domain ownership during addition of parked domains to a mail configuration...

CVE-2017-18467

cPanel before 62.0.17 allows access to restricted resources because of a URL filtering error...

CVE-2017-18468

cPanel before 62.0.17 allows demo accounts to execute code via the Htaccess::setphppreference API...

CVE-2017-18463

cPanel before 62.0.17 allows code execution in the context of the root account via a long DocumentRoot path...

CVE-2017-18460

cPanel before 62.0.17 allows arbitrary code execution during automatic SSL installation...

CVE-2017-18461

cPanel before 62.0.17 allows does not preserve security policy questions across an account rename...

CVE-2017-18456

cPanel before 62.0.17 allows self XSS in the WHM cPAddons showsecurity interface...

CVE-2017-18452

cPanel before 64.0.21 allows code execution via Rails configuration files...

CVE-2017-18455

In cPanel before 62.0.17, addon domain conversion did not require a package for resellers...

CVE-2017-18459

cPanel before 62.0.17 allows arbitrary code execution during account modification...

CVE-2017-18453

cPanel before 64.0.21 does not preserve supplemental groups across account renames...

CVE-2017-18457

cPanel before 62.0.17 allows arbitrary file-read operations via WHM /styled/ URLs...

CVE-2017-18454

cPanel before 62.0.24 allows stored XSS in the WHM cPAddons install interface...

CVE-2017-18458

cPanel before 62.0.17 allows file overwrite when renaming an account...

CVE-2017-18448

cPanel before 64.0.21 allows certain file-read operations via a Serverinfo_manpage API call...

CVE-2017-18450

cPanel before 64.0.21 allows certain file-chmod operations via /scripts/convert_roundcube_mysql2sqlite...

CVE-2017-18449

cPanel before 64.0.21 allows certain file-rename operations in the context of the root account via scripts/convert_roundcube_mysql2sqlite...

CVE-2017-18451

cPanel before 64.0.21 allows attackers to read a user's crontab file during a short time interval upon a cPAddon upgrade...

CVE-2017-18438

cPanel before 64.0.21 allows demo accounts to execute code via Encoding API calls...

CVE-2017-18445

cPanel before 64.0.21 does not enforce demo restrictions for SSL API calls...