415 matches found
CVE-2017-18387
cPanel before 68.0.15 allows arbitrary code execution via Maketext injection in a Reseller style upload (SEC-314).
CVE-2017-18396
cPanel before 68.0.15 allows arbitrary file-read operations via Exim vdomainaliases (SEC-329).
CVE-2017-18400
cPanel before 68.0.15 allows local root code execution via cpdavd (SEC-333).
CVE-2017-18406
cPanel before 67.9999.103 allows SQL injection during eximstats processing (SEC-276).
CVE-2017-18422
In cPanel before 66.0.2, EasyApache 4 conversion sets weak domlog ownership and permissions (SEC-272).
CVE-2017-18429
In cPanel before 66.0.2, Apache HTTP Server SSL domain logs can persist on disk after an account termination (SEC-291).
CVE-2017-18430
In cPanel before 66.0.2, user and group ownership may be incorrectly set when using reassign_post_terminate_cruft (SEC-294).
CVE-2017-18431
cPanel before 66.0.1 does not reliably perform suspend/unsuspend operations on accounts (CPANEL-13941).
CVE-2017-18444
cPanel before 64.0.21 allows demo accounts to execute SSH API commands (SEC-248).
CVE-2017-18448
cPanel before 64.0.21 allows certain file-read operations via a Serverinfo_manpage API call (SEC-252).
CVE-2017-18453
cPanel before 64.0.21 does not preserve supplemental groups across account renames (SEC-260).
CVE-2017-18456
cPanel before 62.0.17 allows self XSS in the WHM cPAddons showsecurity interface (SEC-217).
CVE-2017-18463
cPanel before 62.0.17 allows code execution in the context of the root account via a long DocumentRoot path (SEC-225).
CVE-2017-18469
cPanel before 62.0.17 allows demo accounts to execute code via an NVData_fetchinc API call (SEC-233).
CVE-2018-20875
cPanel before 74.0.8 allows self XSS in the WHM Security Questions interface (SEC-433).
CVE-2018-20947
cPanel before 68.0.27 allows certain file-write operations via the telnetcrt script (SEC-356).
CVE-2019-14388
cPanel before 82.0.2 allows unauthenticated file creation because Exim log parsing is mishandled (SEC-507).
CVE-2019-14394
cPanel before 80.0.5 allows unsafe file operations in the context of the root account via the fetch_ssl_certificates_for_fqdns API (SEC-489).
CVE-2020-12785
cPanel before 86.0.14 allows attackers to obtain access to the current working directory via the account backup feature (SEC-540).
CVE-2003-1426
Openwebmail in cPanel 5.0, when run using suid Perl, adds the directory in the SCRIPT_FILENAME environment variable to Perl's @INC include array, which allows local users to execute arbitrary code by modifying SCRIPT_FILENAME to reference a directory containing a malicious openwebmail-shared.pl exe...
CVE-2006-0573
Multiple cross-site scripting (XSS) vulnerabilies in cPanel 10 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to (a) editquota.html or (b) dodelpop.html; (2) showtree parameter to (c) diskusage.html; or the (3) mon, (4) year, (5) target, or (6)...
CVE-2006-4293
Multiple cross-site scripting (XSS) vulnerabilities in cPanel 10 allow remote attackers to inject arbitrary web script or HTML via the (1) dir parameter in dohtaccess.html, or the (2) file parameter in (a) editit.html or (b) showfile.html.
CVE-2006-5535
Multiple cross-site scripting (XSS) vulnerabilities in WebHostManager (WHM) 10.8.0 cPanel 10.9.0 R50 allow remote attackers to inject arbitrary web script or HTML via the (1) theme parameter to scripts/dosetmytheme and the (2) template parameter to scripts2/editzonetemplate.
CVE-2008-1499
Cross-site scripting (XSS) vulnerability in frontend/x/manpage.html in cPanel 11.18.3 and 11.21.0-BETA allows remote attackers to inject arbitrary web script or HTML via the query string.
CVE-2016-10828
cPanel before 55.9999.141 allows arbitrary code execution because of an unsafe @INC path (SEC-97).
CVE-2017-18386
cPanel before 68.0.15 allows arbitrary code execution via Maketext injection in PostgresAdmin (SEC-313).
CVE-2017-18391
cPanel before 68.0.15 allows attackers to read backup files because they are world-readable during a short time interval (SEC-323).
CVE-2017-18408
cPanel before 67.9999.103 allows stored XSS in WHM MySQL Password Change interfaces (SEC-282).
CVE-2017-18411
The "addon domain conversion" feature in cPanel before 67.9999.103 can copy all MySQL databases to the new account (SEC-285).
CVE-2017-18424
In cPanel before 66.0.2, the Apache HTTP Server configuration file is changed to world-readable when rebuilt (SEC-274).
CVE-2017-18442
cPanel before 64.0.21 allows demo accounts to execute Cpanel::SPFUI API commands (SEC-246).
CVE-2017-18445
cPanel before 64.0.21 does not enforce demo restrictions for SSL API calls (SEC-249).
CVE-2017-18465
cPanel before 62.0.17 does not have a sufficient list of reserved usernames (SEC-227).
CVE-2017-18472
cPanel before 62.0.4 allows reflected XSS in reset-password interfaces (SEC-198).
CVE-2017-18473
cPanel before 62.0.4 allows self XSS on the webmail Password and Security page (SEC-199).
CVE-2017-18480
cPanel before 62.0.4 does not enforce account ownership for has_mycnf_for_cpuser WHM API calls (SEC-210).
CVE-2018-20885
cPanel before 74.0.0 allows Apache HTTP Server configuration injection because of DocumentRoot variable interpolation (SEC-416).
CVE-2018-20924
cPanel before 70.0.23 allows arbitrary file-read and file-unlink operations via WHM style uploads (SEC-378).
CVE-2018-20932
cPanel before 70.0.23 exposes Apache HTTP Server logs after creation of certain domains (SEC-406).
CVE-2018-20936
cPanel before 68.0.27 allows attackers to read the SRS secret via exim.conf (SEC-308).
CVE-2019-14390
cPanel before 82.0.2 has stored XSS in the WHM Modify Account interface (SEC-512).
CVE-2019-20491
cPanel before 82.0.18 allows attackers to leverage virtual mail accounts in order to bypass account suspensions (SEC-508).
CVE-2021-31803
cPanel before 94.0.3 allows self-XSS via EasyApache 4 Save Profile (SEC-581).
CVE-2006-2825
cPanel does not automatically synchronize the PHP open_basedir configuration directive between the main server and virtual hosts that share physical directories, which might allow a local user to bypass open_basedir restrictions and access other virtual hosts via a PHP script that uses a main serve...
CVE-2007-4022
Cross-site scripting (XSS) vulnerability in frontend/x/htaccess/changepro.html in cPanel 10.9.1 allows remote attackers to inject arbitrary web script or HTML via the resname parameter.
CVE-2009-4823
Cross-site scripting (XSS) vulnerability in frontend/x3/files/fileop.html in cPanel 11.0 through 11.24.7 allows remote attackers to inject arbitrary web script or HTML via the fileop parameter.
CVE-2016-10807
cPanel before 57.9999.54 allows certain denial-of-service outcomes via /scripts/killpvhost (SEC-112).
CVE-2016-10857
cPanel before 11.54.0.0 allows a bypass of the e-mail sending limit (SEC-60).
CVE-2017-18385
cPanel before 68.0.15 allows unprivileged users to access restricted directories during account restores (SEC-311).
CVE-2017-18397
cPanel before 68.0.15 does not preserve permissions for local backup transport (SEC-330).