Cpanel Security Vulnerabilities
cPanel before 76.0.8 has Stored XSS in the WHM "Reset a DNS Zone" feature (SEC-461).
6.1CVSS
5.8AI Score
0.001EPSS
6.1CVSS
6.3AI Score
0.001EPSS
cPanel before 76.0.8 has Stored XSS in the WHM MultiPHP Manager interface (SEC-464).
6.1CVSS
5.8AI Score
0.001EPSS
cPanel before 76.0.8 allows arbitrary code execution in the context of the root account via dnssec adminbin (SEC-465).
7.8CVSS
7.9AI Score
0.0004EPSS
The WebDAV transport feature in cPanel before 76.0.8 enables debug logging (SEC-467).
5.5CVSS
5.5AI Score
0.0004EPSS
3.3CVSS
4.1AI Score
0.0004EPSS
cPanel before 74.0.8 allows self XSS in the WHM "Create a New Account" interface (SEC-428).
5.4CVSS
5.2AI Score
0.001EPSS
cPanel before 74.0.8 allows self XSS in the WHM Security Questions interface (SEC-433).
5.4CVSS
5.2AI Score
0.001EPSS
cPanel before 74.0.8 allows self XSS in the Site Software Moderation interface (SEC-434).
5.4CVSS
5.2AI Score
0.001EPSS
5.4CVSS
5.2AI Score
0.001EPSS
cPanel before 74.0.8 allows stored XSS in WHM "File and Directory Restoration" interface (SEC-441).
5.4CVSS
5.2AI Score
0.001EPSS
cPanel before 74.0.8 allows demo accounts to execute arbitrary code via the Fileman::viewfile API (SEC-444).
6.3CVSS
6.8AI Score
0.001EPSS
cPanel before 74.0.8 mishandles account suspension because of an invalid email_accounts.json file (SEC-445).
3.3CVSS
4.3AI Score
0.0004EPSS
cPanel before 74.0.8 allows self stored XSS on the Security Questions login page (SEC-446).
5.4CVSS
5.2AI Score
0.001EPSS
cPanel before 74.0.8 allows arbitrary file-write operations in the context of the root account during WHM Force Password Change (SEC-447).
6.8CVSS
6.7AI Score
0.0004EPSS
6.5CVSS
6.5AI Score
0.001EPSS
cPanel before 74.0.0 allows stored XSS in the WHM File Restoration interface (SEC-367).
5.4CVSS
5.2AI Score
0.001EPSS
cPanel before 74.0.0 allows Apache HTTP Server configuration injection because of DocumentRoot variable interpolation (SEC-416).
5.3CVSS
5.5AI Score
0.001EPSS
5.3CVSS
5.3AI Score
0.0004EPSS
9.8CVSS
9.8AI Score
0.001EPSS
cPanel before 74.0.0 allows file modification in the context of the root account because of incorrect HTTP authentication (SEC-424).
5.5CVSS
5.7AI Score
0.0004EPSS
cPanel before 74.0.0 allows certain file-read operations via password file caching (SEC-425).
4.4CVSS
4.9AI Score
0.0004EPSS
cPanel before 74.0.0 allows arbitrary zone file modifications during record edits (SEC-426).
4.3CVSS
4.8AI Score
0.001EPSS
cPanel before 74.0.0 allows arbitrary file-read operations during File Restoration (SEC-436).
5.5CVSS
5.6AI Score
0.0004EPSS
cPanel before 74.0.0 allows arbitrary zone file modifications because of incorrect CAA record handling (SEC-439).
4.3CVSS
4.8AI Score
0.001EPSS
cPanel before 74.0.0 allows file-rename operations during account renames (SEC-442).
2.3CVSS
4.2AI Score
0.0004EPSS
cPanel before 74.0.0 makes web-site contents accessible to other local users via Git repositories (SEC-443).
3.3CVSS
4.1AI Score
0.0004EPSS
In cPanel before 71.9980.37, API tokens retain ACLs after those ACLs are removed from the corresponding accounts (SEC-393).
7.2CVSS
7AI Score
0.001EPSS
cPanel before 71.9980.37 allows code injection in the WHM cPAddons interface (SEC-394).
3.9CVSS
4.8AI Score
0.0004EPSS
cPanel before 71.9980.37 allows arbitrary file-unlink operations via the cPAddons moderation system (SEC-395).
2.8CVSS
4.4AI Score
0.0004EPSS
cPanel before 71.9980.37 allows e-mail injection during cPAddons moderation (SEC-396).
4.3CVSS
4.9AI Score
0.001EPSS
cPanel before 71.9980.37 allows stored XSS in the WHM cPAddons installation interface (SEC-398).
6.1CVSS
5.9AI Score
0.001EPSS
cPanel before 71.9980.37 allows stored XSS in the YUM autorepair functionality (SEC-399).
6.1CVSS
5.9AI Score
0.001EPSS
cPanel before 71.9980.37 allows Remote-Stored XSS in WHM Save Theme Interface (SEC-400).
6.1CVSS
5.9AI Score
0.001EPSS
cPanel before 71.9980.37 allows attackers to read root's crontab file by leveraging ClamAV installation (SEC-408).
5.5CVSS
5.4AI Score
0.0004EPSS
cPanel before 71.9980.37 allows self XSS in the WHM Backup Configuration interface (SEC-421).
6.1CVSS
5.9AI Score
0.001EPSS
cPanel before 71.9980.37 allows attackers to make API calls that bypass the cron feature restriction (SEC-427).
4.3CVSS
4.7AI Score
0.001EPSS
cPanel before 71.9980.37 allows attackers to make API calls that bypass the backup feature restriction (SEC-429).
5.4CVSS
5.5AI Score
0.001EPSS
cPanel before 71.9980.37 allows attackers to make API calls that bypass the images feature restriction (SEC-430).
4.3CVSS
4.7AI Score
0.001EPSS
cPanel before 71.9980.37 does not enforce the Mime::list_hotlinks API feature restriction (SEC-432).
4.3CVSS
4.7AI Score
0.001EPSS
cPanel before 71.9980.37 allows arbitrary file-read operations during pkgacct custom template handling (SEC-435).
5.5CVSS
5.6AI Score
0.0004EPSS
cPanel before 70.0.23 allows arbitrary file-chmod operations during legacy incremental backups (SEC-338).
7.1CVSS
7AI Score
0.0004EPSS
cPanel before 70.0.23 allows self XSS in the WHM cPAddons showsecurity Interface (SEC-357).
6.1CVSS
5.9AI Score
0.001EPSS
cPanel before 70.0.23 allows code execution because "." is in @INC during a Perl syntax check of cpaddonsup (SEC-359).
7.2CVSS
7.2AI Score
0.001EPSS
6.3CVSS
6.5AI Score
0.001EPSS
cPanel before 70.0.23 allows attackers to read the root accesshash via the WHM /cgi/trustclustermaster.cgi (SEC-364).
4.9CVSS
5.1AI Score
0.001EPSS
In cPanel before 70.0.23, OpenID providers can inject arbitrary data into cPanel session files (SEC-368).
7.3CVSS
7.2AI Score
0.001EPSS
5.4CVSS
5.1AI Score
0.001EPSS
5.4CVSS
5.1AI Score
0.001EPSS
5.5CVSS
5.5AI Score
0.0004EPSS