cPanel before 64.0.21 allows demo accounts to execute SSH API commands (SEC-248).
cPanel before 64.0.21 allows demo and suspended accounts to use SSH port forwarding (SEC-247).
cPanel before 62.0.17 allows does not preserve security policy questions across an account rename (SEC-223).
cPanel before 62.0.17 allows a CPHulk one-day ban bypass when IP based protection is enabled (SEC-224).
cPanel before 67.9999.103 allows SQL injection during eximstats processing (SEC-276).
In cPanel before 96.0.13, scripts/fix-cpanel-perl mishandles the creation of temporary files (SEC-586).
cPanel 9.9.1-RELEASE-3 allows remote authenticated users to chmod arbitrary files via a symlink attack on the _private directory, which is created when Front Page extensions are enabled.
cPanel before 92.0.9 allows a Reseller to bypass the suspension lock (SEC-578).
cPanel before 82.0.2 allows unauthenticated file creation because Exim log parsing is mishandled (SEC-507).
cPanel before 80.0.5 allows demo accounts to modify arbitrary files via the extractfile API1 call (SEC-496).
cPanel before 78.0.2 does not properly restrict demo accounts from writing to files via the DCV UAPI (SEC-473).
cPanel before 74.0.0 allows Apache HTTP Server configuration injection because of DocumentRoot variable interpolation (SEC-416).
cPanel before 88.0.3 allows attackers to bypass the SMTP greylisting protection mechanism (SEC-491).
cPanel before 60.0.15 does not ensure that system accounts lack a valid password, so that logins are impossible (CPANEL-9559).
cPanel before 57.9999.105 allows newline injection via LOC records (CPANEL-6923).
cPanel before 84.0.20 allows attackers to bypass intended restrictions on features and demo accounts via WebDisk UAPI calls (SEC-541).
cPanel before 88.0.13 allows bypass of a protection mechanism that attempted to restrict package modification (SEC-557).
cPanel before 64.0.21 allows demo accounts to execute Cpanel::SPFUI API commands (SEC-246).
The email quota cache in cPanel before 90.0.10 allows overwriting of files.
cPanel before 92.0.9 allows a MySQL user (who has an old-style password hash) to bypass suspension (SEC-579).
cPanel before 64.0.21 allows demo users to execute traceroute via api2 (SEC-244).
cPanel before 62.0.17 allows code execution in the context of the root account via a long DocumentRoot path (SEC-225).
cPanel before 62.0.17 allows demo accounts to execute code via an NVData_fetchinc API call (SEC-233).
cPanel before 68.0.15 allows user accounts to be partially created with invalid username formats (SEC-334).
In cPanel before 62.0.4, Exim piped filters ran in the context of an incorrect user account when delivering to a system user (SEC-204).
cPanel before 68.0.15 allows collisions because PostgreSQL databases can be assigned to multiple accounts (SEC-325).
cPanel before 68.0.15 does not block a username of ssl (SEC-328).
cPanel before 62.0.17 allows arbitrary file-overwrite operations via the WHM Zone Template editor (SEC-226).
DnsUtils in cPanel before 68.0.15 allows zone creation for hostname and account subdomains (SEC-331).
cPanel before 62.0.17 does not properly recognize domain ownership during addition of parked domains to a mail configuration (SEC-228).
cPanel before 68.0.15 can perform unsafe file operations because Jailshell does not set the umask (SEC-315).
cPanel before 67.9999.103 allows code execution in the context of the mailman account because of incorrect environment-variable filtering (SEC-302).
cPanel before 64.0.21 allows code execution in the context of the root account via a SET_VHOST_LANG_PACKAGE multilang adminbin call (SEC-237).
In cPanel before 66.0.2, user and group ownership may be incorrectly set when using reassign_post_terminate_cruft (SEC-294).
cPanel before 62.0.17 allows arbitrary code execution during automatic SSL installation (SEC-221).
cPanel before 68.0.15 allows use of an unreserved e-mail address in DNS zone SOA records (SEC-306).
cPanel before 68.0.15 does not block a username of postmaster, which might allow reception of private e-mail (SEC-326).
cPanel before 64.0.21 allows demo accounts to execute code via an ImageManager_dimensions API call (SEC-243).
cPanel before 64.0.21 allows certain file-rename operations in the context of the root account via scripts/convert_roundcube_mysql2sqlite (SEC-254).
guestbook.cgi in cPanel 5.0 allows remote attackers to execute arbitrary commands via the template parameter.
The "addon domain conversion" feature in cPanel before 67.9999.103 can copy all MySQL databases to the new account (SEC-285).
cPanel before 60.0.25 allows code execution via the cpsrvd 403 error response handler (SEC-191).
cPanel before 70.0.23 allows demo accounts to execute code via awstats (SEC-362).
cPanel before 74.0.8 allows local users to disable the ClamAV daemon (SEC-409).
cPanel before 74.0.8 allows FTP access during account suspension (SEC-449).
cPanel before 76.0.8 allows a persistent Virtual FTP accounts after removal of its associated domain (SEC-454).
cPanel before 74.0.0 allows arbitrary file-read operations during File Restoration (SEC-436).
cPanel before 76.0.8 allows arbitrary code execution in the context of the root account via dnssec adminbin (SEC-465).
cPanel before 57.9999.54 allows Webmail accounts to execute arbitrary code through forwarders (SEC-121).
In cPanel before 57.9999.54, /scripts/addpop and /scripts/delpop exposed TTYs (SEC-113).