cPanel before 55.9999.141 allows arbitrary code execution in the context of the root account because of MakeText interpolation (SEC-89).
cPanel before 74.0.8 allows FTP access during account suspension (SEC-449).
cPanel before 76.0.8 allows remote attackers to execute arbitrary code via mailing-list attachments (SEC-452).
cPanel before 76.0.8 allows arbitrary code execution in the context of the root account via dnssec adminbin (SEC-465).
cPanel before 74.0.8 allows local users to disable the ClamAV daemon (SEC-409).
cPanel before 74.0.0 allows file-rename operations during account renames (SEC-442).
cPanel before 70.0.23 allows any user to disable Solr (SEC-371).
cPanel before 74.0.8 allows arbitrary file-write operations in the context of the root account during WHM Force Password Change (SEC-447).
cPanel before 76.0.8 allows a persistent Virtual FTP accounts after removal of its associated domain (SEC-454).
cPanel before 74.0.0 allows arbitrary file-read operations during File Restoration (SEC-436).
cPanel before 64.0.21 does not preserve supplemental groups across account renames (SEC-260).
cPanel before 62.0.4 allows resellers to use the WHM enqueue_transfer_item API for queueing non-rearrange modules (SEC-213).
cPanel before 62.0.17 allows code execution in the context of the root account via a long DocumentRoot path (SEC-225).
cPanel before 62.0.17 does not have a sufficient list of reserved usernames (SEC-227).
cPanel before 62.0.17 allows file overwrite when renaming an account (SEC-219).
cPanel before 64.0.21 allows demo users to execute traceroute via api2 (SEC-244).
guestbook.cgi in cPanel 5.0 allows remote attackers to execute arbitrary commands via the template parameter.
DnsUtils in cPanel before 68.0.15 allows zone creation for hostname and account subdomains (SEC-331).
cPanel before 68.0.15 can perform unsafe file operations because Jailshell does not set the umask (SEC-315).
cPanel before 64.0.21 allows demo and suspended accounts to use SSH port forwarding (SEC-247).
cPanel before 68.0.15 does not have a sufficient list of reserved usernames (SEC-327).
In cPanel before 67.9999.103, a user account's backup archive could contain all MySQL databases on the server (SEC-284).
cPanel before 68.0.15 allows collisions because PostgreSQL databases can be assigned to multiple accounts (SEC-325).
cPanel before 62.0.17 does not properly recognize domain ownership during addition of parked domains to a mail configuration (SEC-228).
cPanel before 66.0.1 does not reliably perform suspend/unsuspend operations on accounts (CPANEL-13941).
cPanel before 68.0.15 allows user accounts to be partially created with invalid username formats (SEC-334).
cPanel before 68.0.15 allows arbitrary file-read operations because of the backup .htaccess modification logic (SEC-345).
cPanel before 67.9999.103 allows code execution in the context of the mailman account because of incorrect environment-variable filtering (SEC-302).
cPanel before 68.0.15 does not block a username of ssl (SEC-328).
cPanel before 62.0.17 allows does not preserve security policy questions across an account rename (SEC-223).
cPanel before 64.0.21 allows code execution by webmail and demo accounts via a store_filter API call (SEC-236).
cPanel before 11.54.0.0 allows unauthenticated arbitrary code execution via DNS NS entry poisoning (SEC-64).
cPanel before 71.9980.37 allows arbitrary file-unlink operations via the cPAddons moderation system (SEC-395).
cPanel before 64.0.21 allows demo accounts to execute SSH API commands (SEC-248).
cPanel before 64.0.21 allows code execution in the context of the root account via a SET_VHOST_LANG_PACKAGE multilang adminbin call (SEC-237).
In cPanel before 66.0.2, user and group ownership may be incorrectly set when using reassign_post_terminate_cruft (SEC-294).
cPanel before 62.0.17 allows arbitrary code execution during account modification (SEC-220).
cPanel before 68.0.15 does not block a username of postmaster, which might allow reception of private e-mail (SEC-326).
cPanel before 62.0.17 allows arbitrary code execution during automatic SSL installation (SEC-221).
cPanel before 68.0.15 allows use of an unreserved e-mail address in DNS zone SOA records (SEC-306).
cPanel before 62.0.17 allows arbitrary file-overwrite operations via the WHM Zone Template editor (SEC-226).
In cPanel before 67.9999.103, the backup interface could return a backup archive with all MySQL databases (SEC-283).
The "addon domain conversion" feature in cPanel before 67.9999.103 can copy all MySQL databases to the new account (SEC-285).
cPanel before 64.0.21 allows certain file-rename operations in the context of the root account via scripts/convert_roundcube_mysql2sqlite (SEC-254).
cPanel before 64.0.21 allows code execution via Rails configuration files (SEC-259).
Cisco Prime Network Analysis Module (NAM) before 6.1(1) patch.6.1-2-final and 6.2.x before 6.2(2) and Prime Virtual Network Analysis Module (vNAM) before 6.1(1) patch.6.1-2-final and 6.2.x before 6.2(2) allow remote authenticated users to execute arbitrary OS commands via a crafted HTTP request, aka Bug ID CSCuy21889.
A vulnerability was found in yanyutao0402 ChanCMS up to 3.1.2. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /collect/getArticle. The manipulation of the argument taskUrl leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.3 is able to address this issue. The patch is named 33d9bb464353015aaaba84e27638ac9a3912795d. It is recommended to upgrade the affected component.
A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0604.
Cacti before 0.8.7f, as used in Red Hat High Performance Computing (HPC) Solution and other products, allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in (1) the FQDN field of a Device or (2) the Vertical Label field of a Graph Template.
The merge_authdata function in kdc_authdata.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x before 1.8.4 does not properly manage an index into an authorization-data list, which allows remote attackers to cause a denial of service (daemon crash), or possibly obtain sensitive information, spoof authorization, or execute arbitrary code, via a TGS request that triggers an uninitialized pointer dereference, as demonstrated by a request from a Windows Active Directory client.