415 matches found
CVE-2016-10784
cPanel before 60.0.25 allows self XSS in the alias upload interface (SEC-184).
CVE-2016-10785
cPanel before 60.0.25 allows attackers to discover file contents during file copy operations (SEC-185).
CVE-2016-10836
cPanel before 55.9999.141 allows arbitrary file-read operations during authentication with caldav (SEC-108).
CVE-2016-10855
cPanel before 11.54.0.4 allows unauthenticated arbitrary code execution via cpsrvd (SEC-91).
CVE-2017-18383
cPanel before 68.0.15 writes home-directory backups to an incorrect location (SEC-309).
CVE-2017-18395
cPanel before 68.0.15 does not block a username of ssl (SEC-328).
CVE-2017-18410
In cPanel before 67.9999.103, a user account's backup archive could contain all MySQL databases on the server (SEC-284).
CVE-2017-18420
cPanel before 66.0.2 allows stored XSS during WHM cPAddons processing (SEC-269).
CVE-2017-18421
cPanel before 66.0.2 allows demo accounts to create databases and users (SEC-271).
CVE-2017-18426
cPanel before 66.0.2 allows resellers to read other accounts' domain log files (SEC-288).
CVE-2017-18440
cPanel before 64.0.21 allows demo users to execute traceroute via api2 (SEC-244).
CVE-2017-18450
cPanel before 64.0.21 allows certain file-chmod operations via /scripts/convert_roundcube_mysql2sqlite (SEC-255).
CVE-2017-18457
cPanel before 62.0.17 allows arbitrary file-read operations via WHM /styled/ URLs (SEC-218).
CVE-2018-16236
cPanel through 74 allows XSS via a crafted filename in the logs subdirectory of a user account, because the filename is mishandled during frontend/THEME/raw/index.html rendering.
CVE-2018-20880
cPanel before 74.0.8 mishandles account suspension because of an invalid email_accounts.json file (SEC-445).
CVE-2018-20900
cPanel before 71.9980.37 allows stored XSS in the YUM autorepair functionality (SEC-399).
CVE-2018-20903
cPanel before 71.9980.37 allows self XSS in the WHM Backup Configuration interface (SEC-421).
CVE-2018-20912
cPanel before 70.0.23 allows demo accounts to execute code via awstats (SEC-362).
CVE-2018-20915
cPanel before 70.0.23 allows stored XSS via a WHM Edit DNS Zone action (SEC-369).
CVE-2018-20916
cPanel before 70.0.23 allows Stored XSS via a WHM Edit MX Entry (SEC-370).
CVE-2018-20922
cPanel before 70.0.23 allows stored XSS via a WHM DNS Cleanup action (SEC-376).
CVE-2018-20929
cPanel before 70.0.23 allows an open redirect via the /unprotected/redirect.html endpoint (SEC-392).
CVE-2018-20930
cPanel before 70.0.23 allows .htaccess restrictions bypass when Htaccess Optimization is enabled (SEC-401).
CVE-2018-20940
cPanel before 68.0.27 allows attackers to read root's crontab file during a short time interval upon the enabling of backups (SEC-342).
CVE-2019-14391
cPanel before 82.0.2 does not properly enforce Reseller package creation ACLs (SEC-514).
CVE-2019-14413
cPanel before 78.0.2 allows certain file-write operations as shared users during connection resets (SEC-476).
CVE-2019-14414
In cPanel before 78.0.2, a Userdata cache temporary file can conflict with domains (SEC-478).
CVE-2016-10776
cPanel before 60.0.25 allows stored XSS during the homedir removal phase of WHM Account termination (SEC-174).
CVE-2016-10777
cPanel before 60.0.25 allows self XSS in WHM Tweak Settings for autodiscover_host (SEC-177).
CVE-2016-10788
cPanel before 60.0.25 allows arbitrary code execution via Maketext in PostgreSQL adminbin (SEC-188).
CVE-2016-10797
cPanel before 58.0.4 allows WHM "Purchase and Install an SSL Certificate" page visitors to list all server domains (SEC-133).
CVE-2016-10812
In cPanel before 57.9999.54, /scripts/enablefileprotect exposed TTYs (SEC-117).
CVE-2016-10834
cPanel before 55.9999.141 allows account-suspension bypass via ftp (SEC-105).
CVE-2016-10835
cPanel before 55.9999.141 allows a POP/IMAP cPHulk bypass via account name munging (SEC-107).
CVE-2016-10838
cPanel before 11.54.0.4 allows arbitrary file-read operations via the bin/fmq script (SEC-70).
CVE-2016-10856
cPanel before 11.54.0.0 allows subaccounts to discover sensitive data through comet feeds (SEC-29).
CVE-2017-18388
cPanel before 68.0.15 can perform unsafe file operations because Jailshell does not set the umask (SEC-315).
CVE-2017-18390
cPanel before 68.0.15 allows code execution in the context of the root account because of weak permissions on incremental backups (SEC-322).
CVE-2017-18407
cPanel before 67.9999.103 does not enforce SSL hostname verification for the support-agreement download (SEC-279).
CVE-2017-18415
cPanel before 67.9999.103 allows code execution in the context of the mailman account because of incorrect environment-variable filtering (SEC-302).
CVE-2017-18416
cPanel before 67.9999.103 allows arbitrary file-overwrite operations during a Roundcube SQLite schema update (SEC-303).
CVE-2017-18423
In cPanel before 66.0.2, domain log files become readable after log processing (SEC-273).
CVE-2017-18437
cPanel before 64.0.21 allows a Webmail account to execute code via forwarders (SEC-240).
CVE-2018-20865
cPanel before 76.0.8 has Self XSS in the WHM Additional Backup Destination field (SEC-459).
CVE-2018-20910
cPanel before 70.0.23 allows self XSS in the WHM cPAddons showsecurity Interface (SEC-357).
CVE-2018-20923
cPanel before 70.0.23 allows stored XSS via a WHM Synchronize DNS Records action (SEC-377).
CVE-2019-14406
cPanel before 78.0.18 has stored XSS in the BoxTrapper Queue Listing (SEC-493).
CVE-2019-17375
cPanel before 82.0.15 allows API token credentials to persist after an account has been renamed or terminated (SEC-517).
CVE-2016-10783
cPanel before 60.0.25 allows self stored XSS in SSL_listkeys (SEC-182).
CVE-2016-10795
cPanel before 59.9999.145 allows stored XSS in the WHM tail_upcp2.cgi interface (SEC-156).