415 matches found
CVE-2017-18413
In cPanel before 67.9999.103, the backup system overwrites root's home directory when a mount disappears (SEC-299).
CVE-2017-18419
cPanel before 66.0.2 allows stored XSS during WHM cPAddons uninstallation (SEC-266).
CVE-2017-18439
cPanel before 64.0.21 allows demo accounts to execute code via an ImageManager_dimensions API call (SEC-243).
CVE-2017-18447
cPanel before 64.0.21 allows demo accounts to execute code via the ClamScanner_getsocket API (SEC-251).
CVE-2017-18455
In cPanel before 62.0.17, addon domain conversion did not require a package for resellers (SEC-208).
CVE-2017-18474
cPanel before 62.0.4 allows arbitrary file-read operations via Exim valiases (SEC-201).
CVE-2018-20862
cPanel before 76.0.8 unsafely performs PostgreSQL password changes (SEC-366).
CVE-2018-20898
cPanel before 71.9980.37 allows e-mail injection during cPAddons moderation (SEC-396).
CVE-2018-20909
cPanel before 70.0.23 allows arbitrary file-chmod operations during legacy incremental backups (SEC-338).
CVE-2019-14400
cPanel before 78.0.18 allows local users to escalate to root access because of userdata cache misparsing (SEC-479).
CVE-2019-14405
cPanel before 78.0.18 allows demo accounts to execute code via securitypolicy.cg (SEC-487).
CVE-2004-1603
cPanel 9.4.1-RELEASE-64 follows hard links, which allows local users to (1) read arbitrary files via the backup feature or (2) chown arbitrary files via the .htaccess file when Front Page extensions are enabled or disabled.
CVE-2004-1604
cPanel 9.9.1-RELEASE-3 allows remote authenticated users to chmod arbitrary files via a symlink attack on the _private directory, which is created when Front Page extensions are enabled.
CVE-2008-0370
Cross-site scripting (XSS) vulnerability in dohtaccess.html in cPanel before 11.17 build 19417 allows remote attackers to inject arbitrary web script or HTML via the rurl parameter. NOTE: some of these details are obtained from third party information.
CVE-2015-9291
cPanel before 11.52.0.13 does not prevent arbitrary file-read operations via get_information_for_applications (CPANEL-1221).
CVE-2016-10770
cPanel before 60.0.25 allows arbitrary file-overwrite operations during a Roundcube update (SEC-164).
CVE-2016-10775
cPanel before 60.0.25 allows arbitrary file-chown operations via reassign_post_terminate_cruft (SEC-173).
CVE-2016-10825
cPanel before 55.9999.141 allows attackers to bypass a Security Policy by faking static documents (SEC-92).
CVE-2016-10830
cPanel before 55.9999.141 allows ACL bypass for AppConfig applications via magic_revision (SEC-100).
CVE-2016-10832
cPanel before 55.9999.141 allows FTP cPHulk bypass via account name munging (SEC-102).
CVE-2017-18398
DnsUtils in cPanel before 68.0.15 allows zone creation for hostname and account subdomains (SEC-331).
CVE-2017-18402
cPanel before 68.0.15 allows stored XSS during a cpaddons moderated upgrade (SEC-336).
CVE-2017-18414
cPanel before 67.9999.103 allows an open redirect in /unprotected/redirect.html (SEC-300).
CVE-2017-18438
cPanel before 64.0.21 allows demo accounts to execute code via Encoding API calls (SEC-242).
CVE-2017-18446
cPanel before 64.0.21 allows file-read and file-write operations for demo accounts via the SourceIPCheck API (SEC-250).
CVE-2018-20864
cPanel before 76.0.8 allows a persistent Virtual FTP accounts after removal of its associated domain (SEC-454).
CVE-2018-20866
cPanel before 76.0.8 has Stored XSS in the WHM "Reset a DNS Zone" feature (SEC-461).
CVE-2018-20868
cPanel before 76.0.8 has Stored XSS in the WHM MultiPHP Manager interface (SEC-464).
CVE-2018-20877
cPanel before 74.0.8 allows self XSS in WHM Style Upload interface (SEC-437).
CVE-2018-20881
cPanel before 74.0.8 allows self stored XSS on the Security Questions login page (SEC-446).
CVE-2018-20926
cPanel before 70.0.23 allows local privilege escalation via the WHM Locale XML Upload interface (SEC-380).
CVE-2019-14404
cPanel before 78.0.18 allows certain file-read operations in the context of the root account via the Exim virtual_user_spam router (SEC-484).
CVE-2019-14410
Maketext in cPanel before 78.0.2 allows format-string injection in the Email store_filter UAPI (SEC-472).
CVE-2021-26266
cPanel before 92.0.9 allows a Reseller to bypass the suspension lock (SEC-578).
CVE-2004-1849
Multiple cross-site scripting (XSS) vulnerabilities in cPanel 9.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to dodelautores.html or (2) handle parameter to addhandle.html.
CVE-2016-10769
cPanel before 60.0.25 allows an open redirect via /cgi-sys/FormMail-clone.cgi (SEC-162).
CVE-2016-10772
cPanel before 60.0.25 does not enforce feature-list restrictions when calling the multilang adminbin (SEC-168).
CVE-2016-10773
cPanel before 60.0.25 allows format-string injection in exception-message handling (SEC-171).
CVE-2016-10789
cPanel before 60.0.25 allows code execution via the cpsrvd 403 error response handler (SEC-191).
CVE-2016-10791
cPanel before 60.0.15 does not ensure that system accounts lack a valid password, so that logins are impossible (CPANEL-9559).
CVE-2016-10798
cPanel before 58.0.4 allows a file-ownership change (to nobody) via rearrangeacct (SEC-134).
CVE-2016-10840
cPanel before 11.54.0.4 allows arbitrary code execution during locale duplication (SEC-72).
CVE-2016-10850
cPanel before 11.54.0.4 allows arbitrary code execution via scripts/synccpaddonswithsqlhost (SEC-83).
CVE-2017-18399
cPanel before 68.0.15 allows attackers to read root's crontab file during a short time interval upon enabling or disabling sqloptimizer (SEC-332).
CVE-2017-18412
cPanel before 67.9999.103 allows Apache HTTP Server log files to become world-readable because of mishandling on an account rename (SEC-296).
CVE-2017-18452
cPanel before 64.0.21 allows code execution via Rails configuration files (SEC-259).
CVE-2017-18459
cPanel before 62.0.17 allows arbitrary code execution during account modification (SEC-220).
CVE-2017-18461
cPanel before 62.0.17 allows does not preserve security policy questions across an account rename (SEC-223).
CVE-2017-18467
cPanel before 62.0.17 allows access to restricted resources because of a URL filtering error (SEC-229).
CVE-2018-20890
cPanel before 74.0.0 allows arbitrary zone file modifications during record edits (SEC-426).