415 matches found
CVE-2016-10845
cPanel before 11.54.0.4 allows arbitrary file-overwrite operations in scripts/check_system_storable (SEC-78).
CVE-2016-10848
cPanel before 11.54.0.4 allows arbitrary file-overwrite operations in scripts/quotacheck (SEC-81).
CVE-2018-20874
cPanel before 74.0.8 allows self XSS in the WHM "Create a New Account" interface (SEC-428).
CVE-2018-20882
cPanel before 74.0.8 allows arbitrary file-write operations in the context of the root account during WHM Force Password Change (SEC-447).
CVE-2018-20908
cPanel before 71.9980.37 allows arbitrary file-read operations during pkgacct custom template handling (SEC-435).
CVE-2018-20919
cPanel before 70.0.23 allows stored XSS via a WHM Create Account action (SEC-373).
CVE-2019-17379
cPanel before 82.0.15 allows self stored XSS in the WHM SSL Storage Manager interface (SEC-527).
CVE-2016-10781
cPanel before 60.0.25 allows self XSS in the UI_confirm API (SEC-180).
CVE-2016-10808
In cPanel before 57.9999.54, /scripts/addpop and /scripts/delpop exposed TTYs (SEC-113).
CVE-2018-20879
cPanel before 74.0.8 allows demo accounts to execute arbitrary code via the Fileman::viewfile API (SEC-444).
CVE-2018-20893
cPanel before 74.0.0 allows file-rename operations during account renames (SEC-442).
CVE-2018-20867
cPanel before 76.0.8 has an open redirect when resetting connections (SEC-462).
CVE-2018-20895
In cPanel before 71.9980.37, API tokens retain ACLs after those ACLs are removed from the corresponding accounts (SEC-393).
CVE-2016-10841
The bin/mkvhostspasswd script in cPanel before 11.54.0.4 discloses password hashes (SEC-73).
CVE-2016-10790
cPanel before 60.0.25 does not use TLS for HTTP POSTs to listinput.cpanel.net (SEC-192).