Cross-site scripting (XSS) vulnerability in frontend/x3/files/fileop.html in cPanel 11.0 through 11.24.7 allows remote attackers to inject arbitrary web script or HTML via the fileop parameter.
cPanel before 59.9999.145 allows stored XSS in the WHM tail_upcp2.cgi interface (SEC-156).
cPanel before 71.9980.37 allows stored XSS in the YUM autorepair functionality (SEC-399).
cPanel before 68.0.27 allows self XSS in WHM Spamd Startup Config (SEC-387).
cPanel before 70.0.23 allows stored XSS in WHM DNS Cluster (SEC-372).
cPanel before 76.0.8 has Stored XSS in the WHM "Reset a DNS Zone" feature (SEC-461).
cPanel before 68.0.27 allows self XSS in cPanel Backup Restoration (SEC-383).
cPanel before 71.9980.37 allows Remote-Stored XSS in WHM Save Theme Interface (SEC-400).
cPanel before 70.0.23 allows self XSS in the WHM cPAddons showsecurity Interface (SEC-357).
cPanel before 71.9980.37 allows self XSS in the WHM Backup Configuration interface (SEC-421).
cPanel before 70.0.23 allows stored XSS via a WHM Synchronize DNS Records action (SEC-377).
cPanel before 70.0.23 allows stored XSS via a WHM Create Account action (SEC-373).
Multiple cross-site scripting (XSS) vulnerabilities in autoinstall4imagesgalleryupgrade.php in the Fantastico De Luxe Module for cPanel allow remote attackers to inject arbitrary web script or HTML via the (1) localapp, (2) updatedir, (3) scriptpath_show, (4) domain_show, (5) thispage, (6) thisapp, and (7) currentversion parameters in an Upgrade action.
cPanel before 76.0.8 has Self XSS in the WHM Additional Backup Destination field (SEC-459).
cPanel before 70.0.23 allows stored XSS via a WHM Edit DNS Zone action (SEC-374).
cPanel before 70.0.23 allows stored XSS via a WHM DNS Cleanup action (SEC-376).
cPanel before 68.0.27 allows self stored XSS in WHM Account Transfer (SEC-386).
cPanel before 68.0.27 allows self XSS in the WHM listips interface (SEC-389).
cPanel before 70.0.23 allows stored XSS via a WHM "Delete a DNS Zone" action (SEC-375).
cPanel before 71.9980.37 allows stored XSS in the WHM cPAddons installation interface (SEC-398).
cPanel before 68.0.27 allows self XSS in WHM Apache Configuration Include Editor (SEC-385).
cPanel before 70.0.23 allows stored XSS via the cpaddons vendor interface (SEC-391).
cPanel through 74 allows XSS via a crafted filename in the logs subdirectory of a user account, because the filename is mishandled during frontend/THEME/raw/index.html rendering.
cPanel before 76.0.8 has Stored XSS in the WHM MultiPHP Manager interface (SEC-464).
Cross-site scripting (XSS) vulnerability in mime/handle.html in cPanel 10 allows remote attackers to inject arbitrary web script or HTML via the (1) file extension or (2) mime-type.
Multiple cross-site request forgery (CSRF) vulnerabilities in cPanel, possibly 11.18.3 and 11.19.3, allow remote attackers to (1) execute arbitrary code via the command1 parameter to frontend/x2/cron/editcronsimple.html, and perform various administrative actions via (2) frontend/x2/sql/adddb.html, (3) frontend/x2/sql/adduser.html, and (4) frontend/x2/ftp/doaddftp.html.
Cross-site scripting (XSS) vulnerability in frontend/x/manpage.html in cPanel 11.18.3 and 11.21.0-BETA allows remote attackers to inject arbitrary web script or HTML via the query string.
Multiple cross-site request forgery (CSRF) vulnerabilities in the WHM interface 11.15.0 for cPanel 11.18 before 11.18.4 and 11.22 before 11.22.3 allow remote attackers to perform unauthorized actions as cPanel administrators via requests to cpanel/whm/webmail and other unspecified vectors.
The WHM interface 11.15.0 for cPanel 11.18 before 11.18.4 and 11.22 before 11.22.3 allows remote attackers to bypass XSS protection and inject arbitrary script or HTML via repeated, improperly-ordered "<" and ">" characters in the (1) issue parameter to scripts2/knowlegebase, (2) user parameter to scripts2/changeip, (3) search parameter to scripts2/listaccts, and other unspecified vectors.
Cross-site scripting (XSS) vulnerability in dohtaccess.html in cPanel before 11.17 build 19417 allows remote attackers to inject arbitrary web script or HTML via the rurl parameter. NOTE: some of these details are obtained from third party information.
Cross-site scripting (XSS) vulnerability in frontend/x/htaccess/changepro.html in cPanel 10.9.1 allows remote attackers to inject arbitrary web script or HTML via the resname parameter.
Cross-site scripting (XSS) vulnerability in cgiemail and cgiecho allows remote attackers to inject arbitrary web script or HTML via the addendum parameter.
Cross-site scripting (XSS) vulnerability in Simple CGI Wrapper (scgiwrap) in cPanel before 10.9.1, and 11.x before 11.4.19-R14378, allows remote attackers to inject arbitrary web script or HTML via the URI. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Multiple cross-site scripting (XSS) vulnerabilities in WebHostManager (WHM) 10.8.0 cPanel 10.9.0 R50 allow remote attackers to inject arbitrary web script or HTML via the (1) theme parameter to scripts/dosetmytheme and the (2) template parameter to scripts2/editzonetemplate.
Multiple cross-site scripting (XSS) vulnerabilities in cPanel 10 allow remote attackers to inject arbitrary web script or HTML via the (1) dir parameter in dohtaccess.html, or the (2) file parameter in (a) editit.html or (b) showfile.html.
Cross-site scripting (XSS) vulnerability in webmailaging.cgi in cPanel allows remote attackers to inject arbitrary web script or HTML via the numdays parameter.
Multiple cross-site scripting (XSS) vulnerabilies in cPanel 10 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to (a) editquota.html or (b) dodelpop.html; (2) showtree parameter to (c) diskusage.html; or the (3) mon, (4) year, (5) target, or (6) domain parameter to (d) stats/detailbw.html.
Cross-site Scripting (XSS) in cPanel WebHost Manager (WHM) 11.34.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Cross-site scripting (XSS) vulnerability in the Entropy Chat script in cPanel 10.2.0-R82 and 10.6.0-R137 allows remote attackers to inject arbitrary web script or HTML via a chat message containing Javascript in style attributes in tags such as <b>, which are processed by Internet Explorer.
cPanel before 90.0.10 allows self XSS via the Cron Jobs interface (SEC-573).
cPanel before 90.0.10 allows self XSS via the WHM Edit DNS Zone interface (SEC-566).
cPanel before 88.0.13 allows self XSS via DNS Zone Manager DNSSEC interfaces (SEC-564).
Multiple cross-site scripting (XSS) vulnerabilities in cPanel 9.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to dodelautores.html or (2) handle parameter to addhandle.html.
cPanel before 62.0.4 allows reflected XSS in reset-password interfaces (SEC-198).
cPanel before 84.0.20 allows self XSS via a temporary character-set specification (SEC-515).
cPanel before 84.0.20 allows stored self-XSS via the HTML file editor (SEC-535).
cPanel before 62.0.17 allows self XSS in the WHM cPAddons showsecurity interface (SEC-217).
cPanel before 82.0.15 allows self XSS in the WHM Update Preferences interface (SEC-528).
cPanel before 82.0.15 allows self stored XSS in the WHM SSL Storage Manager interface (SEC-527).
cPanel before 82.0.15 allows self XSS in LiveAPI example scripts (SEC-524).