Cpanel Security Vulnerabilities

CVE-2018-20902

cPanel before 71.9980.37 allows attackers to read root's crontab file by leveraging ClamAV installation...

CVE-2018-20914

In cPanel before 70.0.23, OpenID providers can inject arbitrary data into cPanel session files...

CVE-2018-20909

cPanel before 70.0.23 allows arbitrary file-chmod operations during legacy incremental backups...

CVE-2016-10854

cPanel before 11.54.0.4 allows self XSS in the X3 Entropy Banner interface...

CVE-2016-10858

cPanel before 11.54.0.0 allows unauthenticated arbitrary code execution via DNS NS entry poisoning...

CVE-2016-10859

cPanel before 11.54.0.0 allows unauthorized password changes via Webmail API commands...

CVE-2016-10856

cPanel before 11.54.0.0 allows subaccounts to discover sensitive data through comet feeds...

CVE-2016-10860

cPanel before 11.54.0.0 allows unauthorized zone modification via the WHM API...

CVE-2016-10855

cPanel before 11.54.0.4 allows unauthenticated arbitrary code execution via cpsrvd...

CVE-2016-10850

cPanel before 11.54.0.4 allows arbitrary code execution via scripts/synccpaddonswithsqlhost...

CVE-2016-10857

cPanel before 11.54.0.0 allows a bypass of the e-mail sending limit...

CVE-2018-20901

cPanel before 71.9980.37 allows Remote-Stored XSS in WHM Save Theme Interface...

CVE-2016-10853

cPanel before 11.54.0.4 allows stored XSS in the WHM Feature Manager interface...

CVE-2015-9291

cPanel before 11.52.0.13 does not prevent arbitrary file-read operations via get_information_for_applications...

CVE-2016-10851

cPanel before 11.54.0.4 allows self XSS in the WHM PHP Configuration editor interface...

CVE-2016-10852

cPanel before 11.54.0.4 lacks ACL enforcement in the AppConfig subsystem...

CVE-2018-20900

cPanel before 71.9980.37 allows stored XSS in the YUM autorepair functionality...

CVE-2018-20890

cPanel before 74.0.0 allows arbitrary zone file modifications during record edits...

CVE-2018-20894

cPanel before 74.0.0 makes web-site contents accessible to other local users via Git repositories...

CVE-2018-20889

cPanel before 74.0.0 allows certain file-read operations via password file caching...

CVE-2018-20893

cPanel before 74.0.0 allows file-rename operations during account renames...

CVE-2018-20895

In cPanel before 71.9980.37, API tokens retain ACLs after those ACLs are removed from the corresponding accounts...

CVE-2018-20899

cPanel before 71.9980.37 allows stored XSS in the WHM cPAddons installation interface...

CVE-2018-20898

cPanel before 71.9980.37 allows e-mail injection during cPAddons moderation...

CVE-2018-20891

cPanel before 74.0.0 allows arbitrary file-read operations during File Restoration...

CVE-2018-20897

cPanel before 71.9980.37 allows arbitrary file-unlink operations via the cPAddons moderation system...

CVE-2018-20892

cPanel before 74.0.0 allows arbitrary zone file modifications because of incorrect CAA record handling...

CVE-2018-20896

cPanel before 71.9980.37 allows code injection in the WHM cPAddons interface...

CVE-2018-20888

cPanel before 74.0.0 allows file modification in the context of the root account because of incorrect HTTP authentication...

CVE-2018-20886

cPanel before 74.0.0 insecurely stores phpMyAdmin session files...

CVE-2018-20887

cPanel before 74.0.0 allows SQL injection during database backups...

CVE-2018-20883

cPanel before 74.0.8 allows FTP access during account suspension...

CVE-2018-20884

cPanel before 74.0.0 allows stored XSS in the WHM File Restoration interface...

CVE-2018-20885

cPanel before 74.0.0 allows Apache HTTP Server configuration injection because of DocumentRoot variable interpolation...

CVE-2018-20874

cPanel before 74.0.8 allows self XSS in the WHM "Create a New Account" interface...

CVE-2018-20879

cPanel before 74.0.8 allows demo accounts to execute arbitrary code via the Fileman::viewfile API...

CVE-2018-20882

cPanel before 74.0.8 allows arbitrary file-write operations in the context of the root account during WHM Force Password Change...

CVE-2018-20877

cPanel before 74.0.8 allows self XSS in WHM Style Upload interface...

CVE-2018-20880

cPanel before 74.0.8 mishandles account suspension because of an invalid email_accounts.json file...

CVE-2018-20873

cPanel before 74.0.8 allows local users to disable the ClamAV daemon...

CVE-2018-20881

cPanel before 74.0.8 allows self stored XSS on the Security Questions login page...

CVE-2018-20876

cPanel before 74.0.8 allows self XSS in the Site Software Moderation interface...

CVE-2018-20875

cPanel before 74.0.8 allows self XSS in the WHM Security Questions interface...

CVE-2018-20878

cPanel before 74.0.8 allows stored XSS in WHM "File and Directory Restoration" interface...

CVE-2019-14414

In cPanel before 78.0.2, a Userdata cache temporary file can conflict with domains...

CVE-2019-14411

cPanel before 78.0.2 does not properly restrict demo accounts from writing to files via the DCV UAPI...

CVE-2019-14409

cPanel before 78.0.2 allows arbitrary file-read operations via Passenger adminbin...

CVE-2019-14413

cPanel before 78.0.2 allows certain file-write operations as shared users during connection resets...

CVE-2019-14410

Maketext in cPanel before 78.0.2 allows format-string injection in the Email store_filter UAPI...

CVE-2019-14412

Maketext in cPanel before 78.0.2 allows format-string injection in the DCV check_domains_via_dns UAPI...