415 matches found
CVE-2016-10809
In cPanel before 57.9999.54, /scripts/checkinfopages exposed a TTY to an unprivileged process (SEC-114).
CVE-2016-10810
In cPanel before 57.9999.54, /scripts/maildir_converter exposed a TTY to an unprivileged process (SEC-115).
CVE-2016-10842
cPanel before 11.54.0.4 allows certain file-read operations in bin/setup_global_spam_filter.pl (SEC-74).
CVE-2016-10846
cPanel before 11.54.0.4 allows arbitrary file-chown and file-chmod operations during Roundcube database conversions (SEC-79).
CVE-2016-10860
cPanel before 11.54.0.0 allows unauthorized zone modification via the WHM API (SEC-66).
CVE-2017-18434
cPanel before 64.0.21 allows code execution in the context of the root account via a SET_VHOST_LANG_PACKAGE multilang adminbin call (SEC-237).
CVE-2017-18449
cPanel before 64.0.21 allows certain file-rename operations in the context of the root account via scripts/convert_roundcube_mysql2sqlite (SEC-254).
CVE-2018-20883
cPanel before 74.0.8 allows FTP access during account suspension (SEC-449).
CVE-2018-20894
cPanel before 74.0.0 makes web-site contents accessible to other local users via Git repositories (SEC-443).
CVE-2018-20901
cPanel before 71.9980.37 allows Remote-Stored XSS in WHM Save Theme Interface (SEC-400).
CVE-2018-20918
cPanel before 70.0.23 allows stored XSS in WHM DNS Cluster (SEC-372).
CVE-2018-20920
cPanel before 70.0.23 allows stored XSS via a WHM Edit DNS Zone action (SEC-374).
CVE-2018-20937
cPanel before 68.0.27 does not validate database and dbuser names during renames (SEC-321).
CVE-2019-14392
cPanel before 80.0.22 allows remote code execution by a demo account because of incorrect URI dispatching (SEC-501).
CVE-2019-14408
cPanel before 78.0.2 allows a demo account to link with an OpenID provider (SEC-460).
CVE-2019-14412
Maketext in cPanel before 78.0.2 allows format-string injection in the DCV check_domains_via_dns UAPI (SEC-474).
CVE-2016-10787
The Host Access Control feature in cPanel before 60.0.25 mishandles actionless host.deny entries (SEC-187).
CVE-2016-10803
cPanel before 57.9999.105 allows newline injection via LOC records (CPANEL-6923).
CVE-2016-10833
cPanel before 55.9999.141 mishandles username-based blocking for PRE requests in cPHulkd (SEC-104).
CVE-2016-10837
cPanel before 11.54.0.4 allows arbitrary code execution because of an unsafe @INC path (SEC-46).
CVE-2016-10853
cPanel before 11.54.0.4 allows stored XSS in the WHM Feature Manager interface (SEC-86).
CVE-2016-10858
cPanel before 11.54.0.0 allows unauthenticated arbitrary code execution via DNS NS entry poisoning (SEC-64).
CVE-2017-18436
cPanel before 64.0.21 allows demo accounts to read files via a Fileman::getfileactions API2 call (SEC-239).
CVE-2018-20888
cPanel before 74.0.0 allows file modification in the context of the root account because of incorrect HTTP authentication (SEC-424).
CVE-2018-20921
cPanel before 70.0.23 allows stored XSS via a WHM "Delete a DNS Zone" action (SEC-375).
CVE-2018-20928
cPanel before 70.0.23 allows stored XSS via the cpaddons vendor interface (SEC-391).
CVE-2018-20935
cPanel before 70.0.23 allows stored XSS in via a WHM "Reset a DNS Zone" action (SEC-412).
CVE-2019-14407
cPanel before 78.0.2 reveals internal data to OpenID providers (SEC-415).
CVE-2016-10779
cPanel before 60.0.25 allows stored XSS in api1_listautoresponders (SEC-179).
CVE-2016-10786
cPanel before 60.0.25 allows members of the nobody group to read Apache HTTP Server SSL keys (SEC-186).
CVE-2016-10793
cPanel before 59.9999.145 allows arbitrary code execution due to an incorrect #! in Mail::SPF scripts (SEC-152).
CVE-2016-10796
cPanel before 58.0.4 initially uses weak permissions for Apache HTTP Server log files (SEC-130).
CVE-2016-10799
cPanel before 58.0.4 does not set the Pear tmp directory during a PHP installation (SEC-137).
CVE-2016-10800
cPanel before 58.0.4 allows demo-mode escape via Site Templates and Boxtrapper API calls (SEC-138).
CVE-2016-10804
The SQLite journal feature in cPanel before 57.9999.54 allows arbitrary file-overwrite operations during Horde Restore (SEC-58).
CVE-2016-10805
cPanel before 57.9999.54 allows demo accounts to execute arbitrary code via ajax_maketext_syntax_util.pl (SEC-109).
CVE-2016-10806
cPanel before 57.9999.54 allows self XSS on the Paper Lantern Landing Page (SEC-110).
CVE-2016-10843
cPanel before 11.54.0.4 allows code execution in the context of shared users via JSON-API (SEC-76).
CVE-2016-10844
The chcpass script in cPanel before 11.54.0.4 reveals a password hash (SEC-77).
CVE-2016-10847
cPanel before 11.54.0.4 allows arbitrary file-read and file-write operations via scripts/fixmailboxpath (SEC-80).
CVE-2016-10854
cPanel before 11.54.0.4 allows self XSS in the X3 Entropy Banner interface (SEC-87).
CVE-2016-10859
cPanel before 11.54.0.0 allows unauthorized password changes via Webmail API commands (SEC-65).
CVE-2018-20878
cPanel before 74.0.8 allows stored XSS in WHM "File and Directory Restoration" interface (SEC-441).
CVE-2018-20886
cPanel before 74.0.0 insecurely stores phpMyAdmin session files (SEC-418).
CVE-2018-20897
cPanel before 71.9980.37 allows arbitrary file-unlink operations via the cPAddons moderation system (SEC-395).
CVE-2018-20914
In cPanel before 70.0.23, OpenID providers can inject arbitrary data into cPanel session files (SEC-368).
CVE-2018-20933
cPanel before 70.0.23 has Stored XSS via an WHM Edit DNS Zone action (SEC-410).
CVE-2019-14398
cPanel before 80.0.5 allows demo accounts to execute arbitrary code via ajax_maketext_syntax_util.pl (SEC-498).
CVE-2019-17377
cPanel before 82.0.15 allows self XSS in LiveAPI example scripts (SEC-524).
CVE-2016-10792
cPanel before 59.9999.145 allows code execution in the context of other accounts via mailman list archives (SEC-141).