cPanel before 60.0.25 does not enforce feature-list restrictions when calling the multilang adminbin (SEC-168).
3.3CVSS
4.3AI Score
0.0004EPSS
cPanel before 60.0.25 allows format-string injection in exception-message handling (SEC-171).
8.8CVSS
8.7AI Score
0.001EPSS
cPanel before 60.0.25 allows self XSS in the tail_ea4_migration.cgi interface (SEC-172).
5.4CVSS
5.2AI Score
0.001EPSS
cPanel before 60.0.25 allows arbitrary file-chown operations via reassign_post_terminate_cruft (SEC-173).
6.5CVSS
6.5AI Score
0.001EPSS
cPanel before 60.0.25 allows stored XSS during the homedir removal phase of WHM Account termination (SEC-174).
5.4CVSS
5.2AI Score
0.001EPSS
cPanel before 60.0.25 allows self XSS in WHM Tweak Settings for autodiscover_host (SEC-177).
5.4CVSS
5.3AI Score
0.001EPSS
5.4CVSS
5.2AI Score
0.001EPSS
5.4CVSS
5.2AI Score
0.001EPSS
5.4CVSS
5.2AI Score
0.001EPSS
5.4CVSS
5.2AI Score
0.001EPSS
5.4CVSS
5.2AI Score
0.001EPSS
5.4CVSS
5.2AI Score
0.001EPSS
5.4CVSS
5.3AI Score
0.001EPSS
cPanel before 60.0.25 allows attackers to discover file contents during file copy operations (SEC-185).
6.5CVSS
6.4AI Score
0.001EPSS
cPanel before 60.0.25 allows members of the nobody group to read Apache HTTP Server SSL keys (SEC-186).
6.5CVSS
6.3AI Score
0.001EPSS
The Host Access Control feature in cPanel before 60.0.25 mishandles actionless host.deny entries (SEC-187).
8.1CVSS
8AI Score
0.001EPSS
cPanel before 60.0.25 allows arbitrary code execution via Maketext in PostgreSQL adminbin (SEC-188).
8.8CVSS
8.9AI Score
0.001EPSS
cPanel before 60.0.25 allows code execution via the cpsrvd 403 error response handler (SEC-191).
8.8CVSS
8.8AI Score
0.001EPSS
cPanel before 60.0.25 does not use TLS for HTTP POSTs to listinput.cpanel.net (SEC-192).
7.5CVSS
7.5AI Score
0.002EPSS
cPanel before 60.0.15 does not ensure that system accounts lack a valid password, so that logins are impossible (CPANEL-9559).
5.3CVSS
5.3AI Score
0.001EPSS
cPanel before 59.9999.145 allows code execution in the context of other accounts via mailman list archives (SEC-141).
8.8CVSS
8.8AI Score
0.001EPSS
cPanel before 59.9999.145 allows arbitrary code execution due to an incorrect #! in Mail::SPF scripts (SEC-152).
8.8CVSS
8.8AI Score
0.001EPSS
cPanel before 59.9999.145 allows arbitrary file-read operations because of a multipart form processing error (SEC-154).
6.5CVSS
6.5AI Score
0.001EPSS
cPanel before 59.9999.145 allows stored XSS in the WHM tail_upcp2.cgi interface (SEC-156).
6.1CVSS
5.9AI Score
0.001EPSS
cPanel before 58.0.4 initially uses weak permissions for Apache HTTP Server log files (SEC-130).
3.3CVSS
4.3AI Score
0.0004EPSS
cPanel before 58.0.4 allows WHM "Purchase and Install an SSL Certificate" page visitors to list all server domains (SEC-133).
4.3CVSS
4.7AI Score
0.001EPSS
cPanel before 58.0.4 allows a file-ownership change (to nobody) via rearrangeacct (SEC-134).
6.8CVSS
6.6AI Score
0.001EPSS
cPanel before 58.0.4 does not set the Pear tmp directory during a PHP installation (SEC-137).
5.5CVSS
5.6AI Score
0.0004EPSS
cPanel before 58.0.4 allows demo-mode escape via Site Templates and Boxtrapper API calls (SEC-138).
7.8CVSS
7.6AI Score
0.001EPSS
8.8CVSS
8.7AI Score
0.001EPSS
cPanel before 58.0.4 allows code execution in the context of other user accounts through the PHP CGI handler (SEC-142).
8.8CVSS
8.8AI Score
0.001EPSS
7.5CVSS
7.7AI Score
0.001EPSS
The SQLite journal feature in cPanel before 57.9999.54 allows arbitrary file-overwrite operations during Horde Restore (SEC-58).
8.1CVSS
8AI Score
0.001EPSS
cPanel before 57.9999.54 allows demo accounts to execute arbitrary code via ajax_maketext_syntax_util.pl (SEC-109).
8.8CVSS
8.9AI Score
0.001EPSS
cPanel before 57.9999.54 allows self XSS on the Paper Lantern Landing Page (SEC-110).
5.4CVSS
5.2AI Score
0.001EPSS
cPanel before 57.9999.54 allows certain denial-of-service outcomes via /scripts/killpvhost (SEC-112).
6.5CVSS
6.5AI Score
0.001EPSS
In cPanel before 57.9999.54, /scripts/addpop and /scripts/delpop exposed TTYs (SEC-113).
8.8CVSS
8.6AI Score
0.001EPSS
In cPanel before 57.9999.54, /scripts/checkinfopages exposed a TTY to an unprivileged process (SEC-114).
8.8CVSS
8.5AI Score
0.001EPSS
In cPanel before 57.9999.54, /scripts/maildir_converter exposed a TTY to an unprivileged process (SEC-115).
8.8CVSS
8.5AI Score
0.001EPSS
8.8CVSS
8.6AI Score
0.001EPSS
8.8CVSS
8.6AI Score
0.001EPSS
cPanel before 57.9999.54 allows self XSS during ftp account creation under addon domains (SEC-118).
5.4CVSS
5.3AI Score
0.001EPSS
8.8CVSS
8.6AI Score
0.001EPSS
cPanel before 57.9999.54 allows arbitrary file-read operations for Webmail accounts via Branding APIs (SEC-120).
6.5CVSS
6.6AI Score
0.001EPSS
cPanel before 57.9999.54 allows Webmail accounts to execute arbitrary code through forwarders (SEC-121).
8.8CVSS
8.9AI Score
0.001EPSS
cPanel before 57.9999.54 allows SQL Injection via the ModSecurity TailWatch log file (SEC-123).
9.8CVSS
9.8AI Score
0.001EPSS
cPanel before 57.9999.54 incorrectly sets log-file permissions in dnsadmin-startup and spamd-startup (SEC-124).
6.5CVSS
6.5AI Score
0.001EPSS
In cPanel before 57.9999.54, user log files become world-readable when rotated by cpanellogd (SEC-125).
6.5CVSS
6.5AI Score
0.001EPSS
cPanel before 55.9999.141 allows daemons to access their controlling TTYs (SEC-31).
8.8CVSS
8.5AI Score
0.001EPSS
In cPanel before 55.9999.141, Scripts/addpop reveals a command-line password in a process list (SEC-75).
6.5CVSS
6.5AI Score
0.001EPSS