cPanel before 74.0.0 allows arbitrary file-read operations during File Restoration (SEC-436).
cPanel before 70.0.23 allows jailshell escape because of incorrect crontab parsing (SEC-382).
cPanel before 68.0.27 allows attackers to read root's crontab file during a short time interval upon the enabling of backups (SEC-342).
cPanel before 71.9980.37 allows arbitrary file-read operations during pkgacct custom template handling (SEC-435).
cPanel before 68.0.27 allows attackers to read zone information because a world-readable archive is created by the archive_sync_zones script (SEC-355).
cPanel before 68.0.27 allows attackers to read the SRS secret via exim.conf (SEC-308).
cPanel before 68.0.27 allows a user to discover contents of directories (that are not owned by that user) by leveraging backups (SEC-339).
cPanel before 74.0.0 makes web-site contents accessible to other local users via Git repositories (SEC-443).
cPanel before 68.0.27 allows attackers to read a copy of httpd.conf that is created during a syntax test (SEC-353).
cPanel before 71.9980.37 allows attackers to read root's crontab file by leveraging ClamAV installation (SEC-408).
cPanel before 58.0.4 initially uses weak permissions for Apache HTTP Server log files (SEC-130).
cPanel before 68.0.15 allows arbitrary file-read operations via Exim vdomainaliases (SEC-329).
In cPanel before 66.0.2, weak log-file permissions can occur after account modification (SEC-289).
The WebDAV transport feature in cPanel before 76.0.8 enables debug logging (SEC-467).
cPanel before 76.0.8 unsafely performs PostgreSQL password changes (SEC-366).
In cPanel before 66.0.2, the Apache HTTP Server configuration file is changed to world-readable when rebuilt (SEC-274).
cPanel before 68.0.15 allows jailed accounts to restore files that are outside of the jail (SEC-310).
In cPanel before 66.0.2, domain log files become readable after log processing (SEC-273).
cPanel before 66.0.2 allows demo accounts to create databases and users (SEC-271).
In cPanel before 66.0.2, Apache HTTP Server SSL domain logs can persist on disk after an account termination (SEC-291).
cPanel before 68.0.15 does not preserve permissions for local backup transport (SEC-330).
In cPanel before 64.0.21, Horde MySQL to SQLite conversion can leak a database password (SEC-234).
In cPanel before 96.0.8, weak permissions on web stats can lead to information disclosure (SEC-584).
In cPanel before 66.0.2, EasyApache 4 conversion sets weak domlog ownership and permissions (SEC-272).
cPanel before 68.0.15 allows unprivileged users to access restricted directories during account restores (SEC-311).
In cPanel before 82.0.18, Cpanel::Rand::Get can produce a predictable series of numbers (SEC-525).
cPanel before 78.0.18 allows certain file-read operations in the context of the root account via the Exim virtual_user_spam router (SEC-484).
cPanel before 82.0.2 allows local users to discover the MySQL root password (SEC-510).
cPanel before 78.0.2 allows arbitrary file-read operations via Passenger adminbin (SEC-466).
cPanel before 80.0.5 allows unsafe file operations in the context of the root account via the fetch_ssl_certificates_for_fqdns API (SEC-489).
cPanel before 80.0.5 uses world-readable permissions for the Queueprocd log (SEC-494).
cPanel before 76.0.8 allows a persistent Virtual FTP accounts after removal of its associated domain (SEC-454).
cPanel before 71.9980.37 allows arbitrary file-unlink operations via the cPAddons moderation system (SEC-395).
In cPanel before 71.9980.37, API tokens retain ACLs after those ACLs are removed from the corresponding accounts (SEC-393).
cPanel before 74.0.8 allows arbitrary file-write operations in the context of the root account during WHM Force Password Change (SEC-447).
cPanel before 74.0.8 allows local users to disable the ClamAV daemon (SEC-409).
cPanel before 76.0.8 allows remote attackers to execute arbitrary code via mailing-list attachments (SEC-452).
cPanel before 76.0.8 allows arbitrary code execution in the context of the root account via dnssec adminbin (SEC-465).
cPanel before 74.0.8 allows demo accounts to execute arbitrary code via the Fileman::viewfile API (SEC-444).
cPanel before 74.0.0 allows file-rename operations during account renames (SEC-442).
cPanel before 70.0.23 allows demo accounts to execute code via awstats (SEC-362).
cPanel before 70.0.23 allows any user to disable Solr (SEC-371).
cPanel before 60.0.25 allows arbitrary code execution via Maketext in PostgreSQL adminbin (SEC-188).
cPanel before 57.9999.54 allows demo accounts to execute arbitrary code via ajax_maketext_syntax_util.pl (SEC-109).
cPanel before 55.9999.141 allows arbitrary code execution in the context of the root account because of MakeText interpolation (SEC-89).
cPanel before 11.54.0.4 allows certain file-read operations in bin/setup_global_spam_filter.pl (SEC-74).
In cPanel before 57.9999.54, /scripts/addpop and /scripts/delpop exposed TTYs (SEC-113).
cPanel before 55.9999.141 allows unauthenticated arbitrary code execution via DNS NS entry poisoning (SEC-90).
cPanel before 57.9999.54 allows demo-mode escape via show_template.stor (SEC-119).
cPanel before 57.9999.54 allows Webmail accounts to execute arbitrary code through forwarders (SEC-121).