cPanel before 11.54.0.4 allows arbitrary file-overwrite operations in scripts/check_system_storable (SEC-78).
cPanel before 58.0.4 has improper session handling for shared users (SEC-139).
cPanel before 62.0.17 allows demo accounts to execute code via an NVData_fetchinc API call (SEC-233).
The WHM Locale Upload feature in cPanel before 98.0.1 allows unserialization attacks (SEC-585).
The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585).
cPanel before 64.0.21 allows demo accounts to execute code via an ImageManager_dimensions API call (SEC-243).
cPanel before 64.0.21 allows demo accounts to execute code via Encoding API calls (SEC-242).
In cPanel before 62.0.4, Exim piped filters ran in the context of an incorrect user account when delivering to a system user (SEC-204).
cPanel before 62.0.17 allows demo accounts to execute code via the Htaccess::setphppreference API (SEC-232).
cPanel before 64.0.21 allows demo accounts to execute code via the ClamScanner_getsocket API (SEC-251).
cPanel before 64.0.21 allows file-read and file-write operations for demo accounts via the SourceIPCheck API (SEC-250).
cPanel before 68.0.15 allows code execution in the context of the nobody account via Mailman archives (SEC-337).
cPanel before 82.0.18 allows authentication bypass because of misparsing of the format of the password file (SEC-516).
cPanel before 82.0.15 allows API token credentials to persist after an account has been renamed or terminated (SEC-517).
cPanel before 55.9999.141 allows attackers to bypass Two Factor Authentication via DNS clustering requests (SEC-93).
cPanel before 60.0.25 allows code execution via the cpsrvd 403 error response handler (SEC-191).
cPanel before 80.0.5 allows demo accounts to execute arbitrary code via ajax_maketext_syntax_util.pl (SEC-498).
cPanel before 78.0.18 allows demo accounts to execute code via securitypolicy.cg (SEC-487).
cPanel before 80.0.22 allows remote code execution by a demo account because of incorrect URI dispatching (SEC-501).
cPanel before 78.0.18 allows code execution via an addforward API1 call (SEC-480).
cPanel before 58.0.4 allows code execution in the context of other user accounts through the PHP CGI handler (SEC-142).
cPanel before 57.9999.54 allows Webmail accounts to execute arbitrary code through forwarders (SEC-121).
cPanel before 59.9999.145 allows arbitrary code execution due to an incorrect #! in Mail::SPF scripts (SEC-152).
cPanel before 57.9999.54 allows demo accounts to execute arbitrary code via ajax_maketext_syntax_util.pl (SEC-109).
cPanel before 59.9999.145 allows code execution in the context of other accounts via mailman list archives (SEC-141).
In cPanel before 71.9980.37, API tokens retain ACLs after those ACLs are removed from the corresponding accounts (SEC-393).
cPanel before 74.0.8 allows demo accounts to execute arbitrary code via the Fileman::viewfile API (SEC-444).
cPanel before 70.0.23 allows demo accounts to execute code via the Landing Page (SEC-405).
cPanel before 70.0.23 allows code execution because "." is in @INC during a Perl syntax check of cpaddonsup (SEC-359).
cPanel before 70.0.23 allows demo accounts to execute code via awstats (SEC-362).
cPanel before 57.9999.54 allows demo-mode escape via show_template.stor (SEC-119).
cPanel before 55.9999.141 allows account-suspension bypass via ftp (SEC-105).
cPanel before 60.0.25 allows format-string injection in exception-message handling (SEC-171).
cPanel before 82.0.18 allows authentication bypass because webmail usernames are processed inconsistently (SEC-499).
cPanel before 55.9999.141 does not perform as two-factor authentication check when possessing another account (SEC-101).
cPanel before 64.0.21 allows a Webmail account to execute code via forwarders (SEC-240).
cPanel before 68.0.15 allows arbitrary code execution via Maketext injection in PostgresAdmin (SEC-313).
cPanel before 68.0.15 allows arbitrary code execution via Maketext injection in a Reseller style upload (SEC-314).
cPanel before 11.54.0.4 allows arbitrary file-read and file-write operations via scripts/fixmailboxpath (SEC-80).
cPanel before 71.9980.37 allows e-mail injection during cPAddons moderation (SEC-396).
cPanel before 74.0.0 allows Apache HTTP Server configuration injection because of DocumentRoot variable interpolation (SEC-416).
In cPanel before 70.0.23, OpenID providers can inject arbitrary data into cPanel session files (SEC-368).
A vulnerability, which was classified as critical, was found in PHPGurukul Complaint Management System 1.0. This affects an unknown part of the file /admin/state.php. The manipulation of the argument state leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
A vulnerability classified as critical was found in melMass comfy_mtb up to 0.1.4. Affected by this vulnerability is the function run_command of the file comfy_mtb/endpoint.py of the component Dependency Handler. The manipulation leads to code injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The patch is named d6e004cce2c32f8e48b868e66b89f82da4887dc3. It is recommended to apply a patch to fix this issue.
A vulnerability was found in Sucms 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/admin_members.php?ac=search. The manipulation of the argument uid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
A vulnerability was found in TOTOLINK N150RT 3.4.0-B20190525. It has been rated as critical. This issue affects some unknown processing of the file /boafrm/formWsc. The manipulation of the argument localPin leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
A vulnerability was found in code-projects Travel Management System 1.0. It has been classified as critical. This affects an unknown part of the file /detail.php. The manipulation of the argument pid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
A vulnerability, which was classified as critical, has been found in code-projects Simple Admin Panel 1.0. This issue affects some unknown processing of the file catDeleteController.php. The manipulation of the argument record leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
A vulnerability was found in PHPGurukul Small CRM 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/index.php. The manipulation of the argument email leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
A vulnerability has been found in TreasureHuntGame TreasureHunt up to 963e0e0 and classified as critical. Affected by this vulnerability is the function console_log of the file TreasureHunt/checkflag.php. The manipulation of the argument problema leads to sql injection. The attack can be launched remotely. The identifier of the patch is 8bcc649abc35b7734951be084bb522a532faac4e. It is recommended to apply a patch to fix this issue.