Cpanel Security Vulnerabilities and Issues — Cpanel CVE List

Lucene search

CpanelCpanel

415 matches found

CVE•added 2019/08/05 12:15 p.m.•662 views

CVE-2017-18468

cPanel before 62.0.17 allows demo accounts to execute code via the Htaccess::setphppreference API (SEC-232).

6.5CVSS6.5AI score0.0082EPSS

CVE•added 2019/08/02 4:15 p.m.•443 views

CVE-2017-18427

In cPanel before 66.0.2, weak log-file permissions can occur after account modification (SEC-289).

3.3CVSS4.3AI score0.0005EPSS

CVE•added 2023/04/27 9:15 p.m.•285 views

CVE-2023-29489

An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31.

6.1CVSS5.8AI score0.92851EPSS

In wild

CVE•added 2020/03/17 3:15 p.m.•81 views

CVE-2020-10120

cPanel before 84.0.20 allows resellers to achieve remote code execution as root via a cpsrvd rsync shell (SEC-545).

9CVSS7.4AI score0.05371EPSS

CVE•added 2020/03/17 3:15 p.m.•80 views

CVE-2020-10116

cPanel before 84.0.20 allows attackers to bypass intended restrictions on features and demo accounts via WebDisk UAPI calls (SEC-541).

5.3CVSS5.3AI score0.00188EPSS

CVE•added 2020/03/17 3:15 p.m.•78 views

CVE-2020-10115

cPanel before 84.0.20, when PowerDNS is used, allows arbitrary code execution as root via dnsadmin. (SEC-537).

9CVSS7.4AI score0.00518EPSS

CVE•added 2008/05/12 4:20 p.m.•72 views

CVE-2008-2070

The WHM interface 11.15.0 for cPanel 11.18 before 11.18.4 and 11.22 before 11.22.3 allows remote attackers to bypass XSS protection and inject arbitrary script or HTML via repeated, improperly-ordered "" characters in the (1) issue parameter to scripts2/knowlegebase, (2) user parameter to scripts2/...

4.3CVSS5.9AI score0.01625EPSS

Web

CVE•added 2019/08/01 7:15 p.m.•67 views

CVE-2016-10816

cPanel before 57.9999.54 allows Webmail accounts to execute arbitrary code through forwarders (SEC-121).

8.8CVSS8.9AI score0.00976EPSS

CVE•added 2019/08/01 5:15 p.m.•67 views

CVE-2016-10827

cPanel before 55.9999.141 allows self stored XSS in WHM Edit System Mail Preferences (SEC-96).

5.4CVSS5.2AI score0.00263EPSS

CVE•added 2021/08/11 11:15 p.m.•67 views

CVE-2021-38585

The WHM Locale Upload feature in cPanel before 98.0.1 allows unserialization attacks (SEC-585).

7.2CVSS6.9AI score0.01259EPSS

CVE•added 2004/08/18 4:0 a.m.•65 views

CVE-2004-0490

cPanel, when compiling Apache 1.3.29 and PHP with the mod_phpsuexec option, does not set the --enable-discard-path option, which causes php to use the SCRIPT_FILENAME variable to find and execute a script instead of the PATH_TRANSLATED variable, which allows local users to execute arbitrary PHP cod...

7.2CVSS7.1AI score0.00819EPSS

CVE•added 2019/08/01 7:15 p.m.•65 views

CVE-2016-10817

cPanel before 57.9999.54 allows SQL Injection via the ModSecurity TailWatch log file (SEC-123).

10CVSS9.8AI score0.00394EPSS

CVE•added 2020/09/25 6:15 a.m.•65 views

CVE-2020-26100

chsh in cPanel before 88.0.3 allows a Jailshell escape (SEC-497).

9.8CVSS9.3AI score0.00976EPSS

CVE•added 2019/08/01 7:15 p.m.•63 views

CVE-2016-10821

In cPanel before 55.9999.141, Scripts/addpop reveals a command-line password in a process list (SEC-75).

6.5CVSS6.5AI score0.00327EPSS

Web

CVE•added 2019/08/01 7:15 p.m.•62 views

CVE-2016-10815

cPanel before 57.9999.54 allows arbitrary file-read operations for Webmail accounts via Branding APIs (SEC-120).

6.5CVSS6.6AI score0.00327EPSS

CVE•added 2021/08/11 11:15 p.m.•62 views

CVE-2021-38590

In cPanel before 96.0.8, weak permissions on web stats can lead to information disclosure (SEC-584).

5.5CVSS5.2AI score0.00043EPSS

CVE•added 2019/08/01 7:15 p.m.•61 views

CVE-2016-10813

cPanel before 57.9999.54 allows self XSS during ftp account creation under addon domains (SEC-118).

5.4CVSS5.3AI score0.00263EPSS

CVE•added 2021/08/11 11:15 p.m.•61 views

CVE-2021-38589

In cPanel before 96.0.13, scripts/fix-cpanel-perl does not properly restrict the overwriting of files (SEC-588).

8.1CVSS8AI score0.00372EPSS

CVE•added 2007/10/20 10:0 a.m.•60 views

CVE-2003-1425

guestbook.cgi in cPanel 5.0 allows remote attackers to execute arbitrary commands via the template parameter.

10CVSS7.7AI score0.03679EPSS

CVE•added 2019/08/01 7:15 p.m.•60 views

CVE-2016-10820

cPanel before 55.9999.141 allows daemons to access their controlling TTYs (SEC-31).

9CVSS8.5AI score0.00336EPSS

CVE•added 2020/03/17 3:15 p.m.•60 views

CVE-2020-10118

cPanel before 84.0.20 allows a demo account to modify files via Branding API calls (SEC-543).

9.1CVSS9AI score0.00341EPSS

CVE•added 2020/09/25 6:15 a.m.•60 views

CVE-2020-26098

cPanel before 88.0.3 mishandles the Exim filter path, leading to remote code execution (SEC-485).

9.8CVSS9.7AI score0.09234EPSS

CVE•added 2020/11/27 2:15 a.m.•60 views

CVE-2020-29136

In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach (SEC-575).

6.5CVSS6.4AI score0.00257EPSS

CVE•added 2019/08/01 7:15 p.m.•59 views

CVE-2016-10814

cPanel before 57.9999.54 allows demo-mode escape via show_template.stor (SEC-119).

8.8CVSS8.6AI score0.00511EPSS

CVE•added 2019/08/01 7:15 p.m.•58 views

CVE-2016-10819

In cPanel before 57.9999.54, user log files become world-readable when rotated by cpanellogd (SEC-125).

6.5CVSS6.5AI score0.00327EPSS

CVE•added 2020/03/17 3:15 p.m.•58 views

CVE-2019-20493

cPanel before 82.0.18 allows self-XSS because JSON string escaping is mishandled (SEC-520).

6.1CVSS6.3AI score0.00423EPSS

CVE•added 2020/09/25 6:15 a.m.•58 views

CVE-2020-26105

In cPanel before 88.0.3, insecure chkservd test credentials are used on a templated VM (SEC-554).

9.8CVSS9.3AI score0.00549EPSS

CVE•added 2020/09/25 6:15 a.m.•58 views

CVE-2020-26109

cPanel before 88.0.13 allows bypass of a protection mechanism that attempted to restrict package modification (SEC-557).

7.5CVSS7.5AI score0.00383EPSS

CVE•added 2021/08/11 11:15 p.m.•58 views

CVE-2021-38584

The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585).

7.2CVSS6.9AI score0.00403EPSS

CVE•added 2020/03/17 3:15 p.m.•57 views

CVE-2019-20492

cPanel before 82.0.18 allows authentication bypass because of misparsing of the format of the password file (SEC-516).

8.8CVSS8.9AI score0.00188EPSS

CVE•added 2020/03/17 3:15 p.m.•57 views

CVE-2019-20494

In cPanel before 82.0.18, Cpanel::Rand::Get can produce a predictable series of numbers (SEC-525).

3.3CVSS4.3AI score0.00127EPSS

CVE•added 2020/03/17 3:15 p.m.•57 views

CVE-2020-10114

cPanel before 84.0.20 allows stored self-XSS via the HTML file editor (SEC-535).

6.1CVSS6.2AI score0.00421EPSS

CVE•added 2020/09/25 6:15 a.m.•57 views

CVE-2020-26099

cPanel before 88.0.3 allows attackers to bypass the SMTP greylisting protection mechanism (SEC-491).

7.5CVSS7.5AI score0.00383EPSS

CVE•added 2021/08/11 11:15 p.m.•57 views

CVE-2021-38588

In cPanel before 96.0.13, fix_cpanel_perl lacks verification of the integrity of downloads (SEC-587).

8.1CVSS8AI score0.00191EPSS

CVE•added 2020/03/17 3:15 p.m.•56 views

CVE-2019-20498

cPanel before 82.0.18 allows WebDAV authentication bypass because the connection-sharing logic is incorrect (SEC-534).

9.8CVSS9.6AI score0.00139EPSS

CVE•added 2020/09/25 6:15 a.m.•56 views

CVE-2020-26106

cPanel before 88.0.3 has weak permissions (world readable) for the proxy subdomains log file (SEC-558).

7.5CVSS7.6AI score0.00406EPSS

CVE•added 2020/09/25 6:15 a.m.•56 views

CVE-2020-26108

cPanel before 88.0.13 mishandles file-extension dispatching, leading to code execution (SEC-488).

9.8CVSS9.5AI score0.03821EPSS

CVE•added 2020/09/25 6:15 a.m.•55 views

CVE-2020-26101

In cPanel before 88.0.3, insecure RNDC credentials are used for BIND on a templated VM (SEC-549).

9.8CVSS9.4AI score0.00549EPSS

CVE•added 2020/11/27 2:15 a.m.•55 views

CVE-2020-29135

cPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567).

4.1CVSS4.8AI score0.00212EPSS

CVE•added 2005/03/10 5:0 a.m.•54 views

CVE-2004-1769

The "Allow cPanel users to reset their password via email" feature in cPanel 9.1.0 build 34 and earlier, including 8.x, allows remote attackers to execute arbitrary code via the user parameter to resetpass.

10CVSS7.9AI score0.0439EPSS

CVE•added 2020/03/17 3:15 p.m.•54 views

CVE-2020-10119

cPanel before 84.0.20 allows a demo account to achieve remote code execution via a cpsrvd rsync shell (SEC-544).

9.8CVSS9.6AI score0.02833EPSS

CVE•added 2019/08/01 7:15 p.m.•53 views

CVE-2016-10826

cPanel before 55.9999.141 allows attackers to bypass Two Factor Authentication via DNS clustering requests (SEC-93).

8.8CVSS8.6AI score0.00431EPSS

CVE•added 2019/08/05 1:15 p.m.•53 views

CVE-2017-18476

Leech Protect in cPanel before 62.0.4 does not protect certain directories (SEC-205).

7.5CVSS7.5AI score0.00322EPSS

CVE•added 2019/08/01 5:15 p.m.•53 views

CVE-2018-20942

cPanel before 68.0.27 allows attackers to read root's crontab file during a short time interval upon configuring crontab (SEC-351).

2.5CVSS4AI score0.00066EPSS

CVE•added 2020/03/17 3:15 p.m.•53 views

CVE-2020-10121

cPanel before 84.0.20 allows a demo account to achieve code execution via PassengerApps APIs (SEC-546).

9.8CVSS9.5AI score0.00589EPSS

CVE•added 2020/09/25 6:15 a.m.•53 views

CVE-2020-26103

In cPanel before 88.0.3, an insecure site password is used for Mailman on a templated VM (SEC-551).

7.5CVSS7.6AI score0.00537EPSS

CVE•added 2020/09/25 6:15 a.m.•53 views

CVE-2020-26104

In cPanel before 88.0.3, an insecure SRS secret is used on a templated VM (SEC-552).

7.5CVSS7.5AI score0.00627EPSS

CVE•added 2020/09/25 6:15 a.m.•53 views

CVE-2020-26115

cPanel before 90.0.10 allows self XSS via the Cron Editor interface (SEC-574).

6.1CVSS5.9AI score0.00359EPSS

CVE•added 2021/08/11 11:15 p.m.•53 views

CVE-2021-38586

In cPanel before 98.0.1, /scripts/cpan_config performs unsafe operations on files (SEC-589).

4.4CVSS4.8AI score0.00067EPSS

CVE•added 2019/08/01 2:15 p.m.•52 views

CVE-2018-20887

cPanel before 74.0.0 allows SQL injection during database backups (SEC-420).

9.8CVSS9.8AI score0.00264EPSS

Total number of security vulnerabilities415