Directory traversal vulnerability in autoinstall4imagesgalleryupgrade.php in the Fantastico De Luxe Module for cPanel allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the scriptpath_show parameter in a GoAhead action. NOTE: this issue only crosses privilege boundaries when security settings such as disable_functions and safe_mode are active, since exploitation requires uploading of executable code to a home directory.
Cross-site scripting (XSS) vulnerability in mail/manage.html in BoxTrapper in cPanel 11 allows remote attackers to inject arbitrary web script or HTML via the account parameter.
In cPanel before 96.0.13, fix_cpanel_perl lacks verification of the integrity of downloads (SEC-587).
Cross-site scripting (XSS) vulnerability in cPanel 6.4.2 allows remote attackers to insert arbitrary HTML and possibly gain cPanel administrator privileges via script in a URL that is logged but not properly quoted when displayed via the (1) Error Log or (2) Latest Visitors screens.
Format string vulnerability in cgiemail and cgiecho allows remote attackers to execute arbitrary code via format string specifiers in a template file.
cPanel before 59.9999.145 allows arbitrary code execution due to an incorrect #! in Mail::SPF scripts (SEC-152).
In cPanel before 57.9999.54, /scripts/enablefileprotect exposed TTYs (SEC-117).
cPanel before 11.54.0.4 allows arbitrary code execution via scripts/synccpaddonswithsqlhost (SEC-83).
The Host Access Control feature in cPanel before 60.0.25 mishandles actionless host.deny entries (SEC-187).
cPanel before 55.9999.141 allows unauthenticated arbitrary code execution via DNS NS entry poisoning (SEC-90).
cPanel before 60.0.25 allows file-create and file-chmod operations during ModSecurity Audit logfile processing (SEC-165).
cPanel before 60.0.25 allows file-overwrite operations during preparation for MySQL upgrades (SEC-161).
cPanel before 57.9999.54 allows certain denial-of-service outcomes via /scripts/killpvhost (SEC-112).
cPanel before 57.9999.54 allows demo accounts to execute arbitrary code via ajax_maketext_syntax_util.pl (SEC-109).
cPanel before 57.9999.54 allows demo-mode escape via show_template.stor (SEC-119).
The SQLite journal feature in cPanel before 57.9999.54 allows arbitrary file-overwrite operations during Horde Restore (SEC-58).
cPanel before 57.9999.54 allows Webmail accounts to execute arbitrary code through forwarders (SEC-121).
cPanel before 11.54.0.4 allows unauthenticated arbitrary code execution via cpsrvd (SEC-91).
cPanel before 60.0.25 allows code execution via the cpsrvd 403 error response handler (SEC-191).
cPanel before 11.54.0.4 allows certain file-read operations in bin/setup_global_spam_filter.pl (SEC-74).
In cPanel before 57.9999.54, /scripts/addpop and /scripts/delpop exposed TTYs (SEC-113).
cPanel before 60.0.25 allows arbitrary code execution via Maketext in PostgreSQL adminbin (SEC-188).
cPanel before 60.0.25 allows arbitrary file-chown operations via reassign_post_terminate_cruft (SEC-173).
cPanel before 60.0.25 allows arbitrary file-overwrite operations during a Roundcube update (SEC-164).
cPanel before 55.9999.141 allows arbitrary code execution in the context of the root account because of MakeText interpolation (SEC-89).
cPanel before 74.0.8 allows local users to disable the ClamAV daemon (SEC-409).
cPanel before 74.0.0 allows file-rename operations during account renames (SEC-442).
cPanel before 70.0.23 allows demo accounts to execute code via awstats (SEC-362).
cPanel before 64.0.21 does not preserve supplemental groups across account renames (SEC-260).
cPanel before 62.0.4 allows resellers to use the WHM enqueue_transfer_item API for queueing non-rearrange modules (SEC-213).
cPanel before 62.0.17 allows code execution in the context of the root account via a long DocumentRoot path (SEC-225).
cPanel before 62.0.17 does not have a sufficient list of reserved usernames (SEC-227).
cPanel before 62.0.17 allows file overwrite when renaming an account (SEC-219).
cPanel before 64.0.21 allows demo users to execute traceroute via api2 (SEC-244).
cPanel before 74.0.8 allows FTP access during account suspension (SEC-449).
cPanel before 76.0.8 allows remote attackers to execute arbitrary code via mailing-list attachments (SEC-452).
In cPanel before 71.9980.37, API tokens retain ACLs after those ACLs are removed from the corresponding accounts (SEC-393).
cPanel before 70.0.23 allows any user to disable Solr (SEC-371).
cPanel before 76.0.8 allows a persistent Virtual FTP accounts after removal of its associated domain (SEC-454).
cPanel before 76.0.8 allows arbitrary code execution in the context of the root account via dnssec adminbin (SEC-465).
cPanel before 74.0.8 allows arbitrary file-write operations in the context of the root account during WHM Force Password Change (SEC-447).
cPanel before 74.0.8 allows demo accounts to execute arbitrary code via the Fileman::viewfile API (SEC-444).
cPanel before 74.0.0 allows arbitrary file-read operations during File Restoration (SEC-436).
cPanel before 71.9980.37 allows arbitrary file-unlink operations via the cPAddons moderation system (SEC-395).
guestbook.cgi in cPanel 5.0 allows remote attackers to execute arbitrary commands via the template parameter.
DnsUtils in cPanel before 68.0.15 allows zone creation for hostname and account subdomains (SEC-331).
cPanel before 68.0.15 can perform unsafe file operations because Jailshell does not set the umask (SEC-315).
cPanel before 64.0.21 allows demo and suspended accounts to use SSH port forwarding (SEC-247).
cPanel before 68.0.15 does not have a sufficient list of reserved usernames (SEC-327).
In cPanel before 67.9999.103, a user account's backup archive could contain all MySQL databases on the server (SEC-284).