In cPanel before 55.9999.141, Scripts/addpop reveals a command-line password in a process list (SEC-75).
cPanel before 55.9999.141 allows FTP cPHulk bypass via account name munging (SEC-102).
cPanel before 55.9999.141 allows arbitrary code execution in the context of the root account because of MakeText interpolation (SEC-89).
cPanel before 59.9999.145 allows arbitrary code execution due to an incorrect #! in Mail::SPF scripts (SEC-152).
cPanel before 57.9999.54 incorrectly sets log-file permissions in dnsadmin-startup and spamd-startup (SEC-124).
cPanel before 60.0.25 allows arbitrary code execution via Maketext in PostgreSQL adminbin (SEC-188).
cPanel before 62.0.17 allows access to restricted resources because of a URL filtering error (SEC-229).
cPanel before 55.9999.141 allows account-suspension bypass via ftp (SEC-105).
cPanel before 60.0.25 allows format-string injection in exception-message handling (SEC-171).
cPanel before 60.0.25 allows code execution via the cpsrvd 403 error response handler (SEC-191).
cPanel before 58.0.4 allows WHM "Purchase and Install an SSL Certificate" page visitors to list all server domains (SEC-133).
cPanel before 60.0.25 allows attackers to discover file contents during file copy operations (SEC-185).
cPanel before 11.54.0.4 allows certain file-read operations in bin/setup_global_spam_filter.pl (SEC-74).
cPanel before 11.54.0.4 lacks ACL enforcement in the AppConfig subsystem (SEC-85).
In cPanel before 57.9999.54, /scripts/maildir_converter exposed a TTY to an unprivileged process (SEC-115).
cPanel before 60.0.25 allows members of the nobody group to read Apache HTTP Server SSL keys (SEC-186).
The chcpass script in cPanel before 11.54.0.4 reveals a password hash (SEC-77).
cPanel before 59.9999.145 allows arbitrary file-read operations because of a multipart form processing error (SEC-154).
cPanel before 55.9999.141 allows daemons to access their controlling TTYs (SEC-31).
In cPanel before 57.9999.54, /scripts/checkinfopages exposed a TTY to an unprivileged process (SEC-114).
cPanel before 11.54.0.4 allows arbitrary code execution via scripts/synccpaddonswithsqlhost (SEC-83).
cPanel before 58.0.4 has improper session handling for shared users (SEC-139).
cPanel before 59.9999.145 allows code execution in the context of other accounts via mailman list archives (SEC-141).
cPanel before 57.9999.54 allows Webmail accounts to execute arbitrary code through forwarders (SEC-121).
cPanel before 57.9999.54 allows demo-mode escape via show_template.stor (SEC-119).
In cPanel before 57.9999.54, user log files become world-readable when rotated by cpanellogd (SEC-125).
In cPanel before 57.9999.54, /scripts/unsuspendacct exposed TTYs (SEC-116).
In cPanel before 57.9999.54, /scripts/addpop and /scripts/delpop exposed TTYs (SEC-113).
cPanel before 55.9999.141 allows a POP/IMAP cPHulk bypass via account name munging (SEC-107).
cPanel before 55.9999.141 allows attackers to bypass Two Factor Authentication via DNS clustering requests (SEC-93).
cPanel before 57.9999.54 allows demo accounts to execute arbitrary code via ajax_maketext_syntax_util.pl (SEC-109).
cPanel before 55.9999.141 allows arbitrary file-read operations during authentication with caldav (SEC-108).
cPanel before 68.0.15 allows use of an unreserved e-mail address in DNS zone SOA records (SEC-306).
cPanel before 66.0.2 allows resellers to read other accounts' domain log files (SEC-288).
fantastico in Cpanel does not properly handle when it has insufficient permissions to perform certain file operations, which allows remote authenticated users to obtain the full pathname, which is leaked in a PHP error message.
In cPanel before 62.0.4, Exim piped filters ran in the context of an incorrect user account when delivering to a system user (SEC-204).
cPanel before 62.0.4 does not enforce account ownership for has_mycnf_for_cpuser WHM API calls (SEC-210).
In cPanel before 62.0.4, Exim transports could execute in the context of the nobody account (SEC-206).
cPanel before 11.54.0.0 allows subaccounts to discover sensitive data through comet feeds (SEC-29).
cPanel before 58.0.4 allows code execution in the context of other user accounts through the PHP CGI handler (SEC-142).
cPanel before 11.54.0.4 allows arbitrary code execution during locale duplication (SEC-72).
cPanel before 55.9999.141 allows arbitrary code execution because of an unsafe @INC path (SEC-97).
cPanel before 57.9999.54 allows arbitrary file-read operations for Webmail accounts via Branding APIs (SEC-120).
In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach (SEC-575).
cPanel before 82.0.18 allows attackers to read an arbitrary database via MySQL dump streaming (SEC-531).
cPanel before 80.0.5 allows demo accounts to execute arbitrary code via ajax_maketext_syntax_util.pl (SEC-498).
cPanel before 78.0.2 reveals internal data to OpenID providers (SEC-415).
cPanel before 80.0.22 allows remote code execution by a demo account because of incorrect URI dispatching (SEC-501).
cPanel before 78.0.18 allows code execution via an addforward API1 call (SEC-480).
cPanel before 78.0.18 allows demo accounts to execute code via securitypolicy.cg (SEC-487).