415 matches found
CVE-2018-20904
cPanel before 71.9980.37 allows attackers to make API calls that bypass the cron feature restriction (SEC-427).
CVE-2019-14396
API Analytics adminbin in cPanel before 80.0.5 allows spoofed insertions of log data (SEC-495).
CVE-2019-14401
cPanel before 78.0.18 allows code execution via an addforward API1 call (SEC-480).
CVE-2019-14409
cPanel before 78.0.2 allows arbitrary file-read operations via Passenger adminbin (SEC-466).
CVE-2006-0533
Cross-site scripting (XSS) vulnerability in webmailaging.cgi in cPanel allows remote attackers to inject arbitrary web script or HTML via the numdays parameter.
CVE-2006-0763
Cross-site scripting (XSS) vulnerability in dowebmailforward.cgi in cPanel allows remote attackers to inject arbitrary web script or HTML via a URL encoded value in the fwd parameter.
CVE-2016-10767
cPanel before 60.0.25 allows stored XSS in the WHM Repair Mailbox Permissions interface (SEC-159).
CVE-2016-10771
cPanel before 60.0.25 allows file-create and file-chmod operations during ModSecurity Audit logfile processing (SEC-165).
CVE-2016-10774
cPanel before 60.0.25 allows self XSS in the tail_ea4_migration.cgi interface (SEC-172).
CVE-2016-10794
cPanel before 59.9999.145 allows arbitrary file-read operations because of a multipart form processing error (SEC-154).
CVE-2016-10801
cPanel before 58.0.4 has improper session handling for shared users (SEC-139).
CVE-2016-10802
cPanel before 58.0.4 allows code execution in the context of other user accounts through the PHP CGI handler (SEC-142).
CVE-2016-10839
cPanel before 11.54.0.4 allows SQL injection in bin/horde_update_usernames (SEC-71).
CVE-2016-10851
cPanel before 11.54.0.4 allows self XSS in the WHM PHP Configuration editor interface (SEC-84).
CVE-2017-18382
cPanel before 68.0.15 allows use of an unreserved e-mail address in DNS zone SOA records (SEC-306).
CVE-2017-18394
cPanel before 68.0.15 does not have a sufficient list of reserved usernames (SEC-327).
CVE-2017-18404
cPanel before 68.0.15 allows domain data to be deleted for domains with the .lock TLD (SEC-341).
CVE-2017-18405
cPanel before 68.0.15 allows arbitrary file-read operations because of the backup .htaccess modification logic (SEC-345).
CVE-2017-18425
In cPanel before 66.0.2, the cpdavd_error_log file can be created with weak permissions (SEC-280).
CVE-2017-18441
cPanel before 64.0.21 allows demo accounts to redirect web traffic (SEC-245).
CVE-2017-18451
cPanel before 64.0.21 allows attackers to read a user's crontab file during a short time interval upon a cPAddon upgrade (SEC-257).
CVE-2017-18454
cPanel before 62.0.24 allows stored XSS in the WHM cPAddons install interface (SEC-262).
CVE-2017-18458
cPanel before 62.0.17 allows file overwrite when renaming an account (SEC-219).
CVE-2017-18462
cPanel before 62.0.17 allows a CPHulk one-day ban bypass when IP based protection is enabled (SEC-224).
CVE-2017-18464
cPanel before 62.0.17 allows arbitrary file-overwrite operations via the WHM Zone Template editor (SEC-226).
CVE-2017-18471
cPanel before 62.0.4 allows self XSS on the paper_lantern password-change screen (SEC-197).
CVE-2017-18479
In cPanel before 62.0.4, WHM SSL certificate generation uses an unreserved e-mail address (SEC-209).
CVE-2018-20869
cPanel before 76.0.8 allows arbitrary code execution in the context of the root account via dnssec adminbin (SEC-465).
CVE-2018-20870
The WebDAV transport feature in cPanel before 76.0.8 enables debug logging (SEC-467).
CVE-2018-20873
cPanel before 74.0.8 allows local users to disable the ClamAV daemon (SEC-409).
CVE-2018-20876
cPanel before 74.0.8 allows self XSS in the Site Software Moderation interface (SEC-434).
CVE-2018-20884
cPanel before 74.0.0 allows stored XSS in the WHM File Restoration interface (SEC-367).
CVE-2018-20892
cPanel before 74.0.0 allows arbitrary zone file modifications because of incorrect CAA record handling (SEC-439).
CVE-2018-20896
cPanel before 71.9980.37 allows code injection in the WHM cPAddons interface (SEC-394).
CVE-2018-20902
cPanel before 71.9980.37 allows attackers to read root's crontab file by leveraging ClamAV installation (SEC-408).
CVE-2018-20905
cPanel before 71.9980.37 allows attackers to make API calls that bypass the backup feature restriction (SEC-429).
CVE-2018-20907
cPanel before 71.9980.37 does not enforce the Mime::list_hotlinks API feature restriction (SEC-432).
CVE-2018-20913
cPanel before 70.0.23 allows attackers to read the root accesshash via the WHM /cgi/trustclustermaster.cgi (SEC-364).
CVE-2018-20931
cPanel before 70.0.23 allows demo accounts to execute code via the Landing Page (SEC-405).
CVE-2018-20934
cPanel before 70.0.23 does not prevent e-mail account suspensions from being applied to unowned accounts (SEC-411).
CVE-2019-14387
cPanel before 82.0.2 has Self XSS in the cPanel and webmail master templates (SEC-506).
CVE-2019-14389
cPanel before 82.0.2 allows local users to discover the MySQL root password (SEC-510).
CVE-2019-14399
The SSL certificate-storage feature in cPanel before 78.0.18 allows unsafe file operations in the context of the root account (SEC-477).
CVE-2019-14402
cPanel before 78.0.18 unsafely determines terminal capabilities by using infocmp (SEC-481).
CVE-2019-14411
cPanel before 78.0.2 does not properly restrict demo accounts from writing to files via the DCV UAPI (SEC-473).
CVE-2019-17376
cPanel before 82.0.15 allows self XSS in the SSL Certificate Upload interface (SEC-521).
CVE-2019-17380
cPanel before 82.0.15 allows self XSS in the WHM Update Preferences interface (SEC-528).
CVE-2016-10778
cPanel before 60.0.25 allows self stored XSS in the listftpstable API (SEC-178).
CVE-2016-10780
cPanel before 60.0.25 allows stored XSS in the ftp_sessions API (SEC-180).
CVE-2016-10782
cPanel before 60.0.25 allows self stored XSS in postgres API1 listdbs (SEC-181).