Multiple cross-site scripting (XSS) vulnerabilities in cPanel 9.1.0-R85 allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to testfile.html, (2) file parameter to erredit.html, (3) dns parameter to dnslook.html, (4) account parameter to ignorelist.html, (5) account parameter to showlog.html, (6) db parameter to repairdb.html, (7) login parameter to doaddftp.html (8) account parameter to editmsg.htm, or (9) ip parameter to del.html. NOTE: the dnslook.html vector was later reported to exist in cPanel 10.
cPanel before 68.0.27 allows self XSS in WHM Spamd Startup Config (SEC-387).
Cross-site scripting (XSS) vulnerability in frontend/x3/files/fileop.html in cPanel 11.0 through 11.24.7 allows remote attackers to inject arbitrary web script or HTML via the fileop parameter.
cPanel before 82.0.18 allows self-XSS because JSON string escaping is mishandled (SEC-520).
cPanel before 82.0.15 allows self XSS in LiveAPI example scripts (SEC-524).
cPanel before 82.0.15 allows self XSS in the WHM Update Preferences interface (SEC-528).
cPanel before 82.0.15 allows self XSS in the SSL Key Delete interface (SEC-526).
cPanel before 82.0.15 allows self stored XSS in the WHM SSL Storage Manager interface (SEC-527).
cPanel before 82.0.15 allows self XSS in the SSL Certificate Upload interface (SEC-521).
Multiple cross-site scripting (XSS) vulnerabilities in autoinstall4imagesgalleryupgrade.php in the Fantastico De Luxe Module for cPanel allow remote attackers to inject arbitrary web script or HTML via the (1) localapp, (2) updatedir, (3) scriptpath_show, (4) domain_show, (5) thispage, (6) thisapp, and (7) currentversion parameters in an Upgrade action.
cPanel before 82.0.2 has Self XSS in the cPanel and webmail master templates (SEC-506).
cPanel before 78.0.18 has stored XSS in the BoxTrapper Queue Listing (SEC-493).
An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31.
cPanel before 70.0.23 allows stored XSS via the cpaddons vendor interface (SEC-391).
cPanel before 70.0.23 allows stored XSS via a WHM "Delete a DNS Zone" action (SEC-375).
cPanel before 68.0.27 allows self XSS in WHM Apache Configuration Include Editor (SEC-385).
cPanel before 76.0.8 has Self XSS in the WHM Additional Backup Destination field (SEC-459).
cPanel before 70.0.23 allows stored XSS in WHM DNS Cluster (SEC-372).
cPanel before 70.0.23 allows self XSS in the WHM cPAddons showsecurity Interface (SEC-357).
cPanel before 71.9980.37 allows self XSS in the WHM Backup Configuration interface (SEC-421).
cPanel before 70.0.23 allows stored XSS via a WHM Synchronize DNS Records action (SEC-377).
cPanel before 70.0.23 allows stored XSS via a WHM Edit DNS Zone action (SEC-374).
cPanel before 71.9980.37 allows stored XSS in the YUM autorepair functionality (SEC-399).
cPanel before 70.0.23 allows code execution because "." is in @INC during a Perl syntax check of cpaddonsup (SEC-359).
cPanel through 74 allows XSS via a crafted filename in the logs subdirectory of a user account, because the filename is mishandled during frontend/THEME/raw/index.html rendering.
cPanel before 90.0.17 allows self-XSS via the WHM Transfer Tool interface (SEC-577).
cPanel before 59.9999.145 allows stored XSS in the WHM tail_upcp2.cgi interface (SEC-156).
cPanel before 90.0.10 allows self XSS via WHM Manage API Tokens interfaces (SEC-569).
cPanel before 88.0.13 allows self XSS via DNS Zone Manager DNSSEC interfaces (SEC-564).
cPanel before 68.0.27 allows self stored XSS in WHM Account Transfer (SEC-386).
cPanel before 84.0.20 allows stored self-XSS via the HTML file editor (SEC-535).
cPanel before 76.0.8 has Stored XSS in the WHM "Reset a DNS Zone" feature (SEC-461).
cPanel before 70.0.23 allows stored XSS via a WHM Create Account action (SEC-373).
cPanel before 90.0.10 allows self XSS via the WHM Edit DNS Zone interface (SEC-566).
cPanel before 68.0.27 allows self XSS in cPanel Backup Restoration (SEC-383).
cPanel before 71.9980.37 allows Remote-Stored XSS in WHM Save Theme Interface (SEC-400).
cPanel before 90.0.10 allows self XSS via the Cron Jobs interface (SEC-573).
cPanel before 71.9980.37 allows stored XSS in the WHM cPAddons installation interface (SEC-398).
cPanel before 76.0.8 has Stored XSS in the WHM MultiPHP Manager interface (SEC-464).
The WHM interface 11.15.0 for cPanel 11.18 before 11.18.4 and 11.22 before 11.22.3 allows remote attackers to bypass XSS protection and inject arbitrary script or HTML via repeated, improperly-ordered "<" and ">" characters in the (1) issue parameter to scripts2/knowlegebase, (2) user parameter to scripts2/changeip, (3) search parameter to scripts2/listaccts, and other unspecified vectors.
Cross-site scripting (XSS) vulnerability in frontend/x/manpage.html in cPanel 11.18.3 and 11.21.0-BETA allows remote attackers to inject arbitrary web script or HTML via the query string.
cPanel before 68.0.27 allows self XSS in the WHM listips interface (SEC-389).
Cross-site scripting (XSS) vulnerability in dohtaccess.html in cPanel before 11.17 build 19417 allows remote attackers to inject arbitrary web script or HTML via the rurl parameter. NOTE: some of these details are obtained from third party information.
cPanel before 70.0.23 allows stored XSS via a WHM DNS Cleanup action (SEC-376).
Cross-site scripting (XSS) vulnerability in cgiemail and cgiecho allows remote attackers to inject arbitrary web script or HTML via the addendum parameter.
cPanel before 62.0.4 allows reflected XSS in reset-password interfaces (SEC-198).
cPanel before 84.0.20 allows self XSS via a temporary character-set specification (SEC-515).
cPanel before 90.0.10 allows self XSS via the Cron Editor interface (SEC-574).
The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the url attribute within the plugin's Site Title widget in all versions up to, and including, 1.6.35 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image. For an example, an attacker can craft a JavaScript payload that adds a new Django Super Administrator user if a Django administrator visits the image. The file `users/functions.py` lines 18-49 show that the only verification check is that the file is an image by extracting the dimensions from the file. Label Studio serves avatar images using Django's built-in `serve` view, which is not secure for production use according to Django's documentation. The issue with the Django `serve` view is that it determines the `Content-Type` of the response by the file extension in the URL path. Therefore, an attacker can upload an image that contains malicious HTML code and name the file with a `.html` extension to be rendered as a HTML page. The only file extension validation is performed on the client-side, which can be easily bypassed. Version 1.9.2 fixes this issue. Other remediation strategies include validating the file extension on the server side, not in client-side code; removing the use of Django's `serve` view and implement a secure controller for viewing uploaded avatar images; saving file content in the database rather than on the filesystem to mitigate against other file related vulnerabilities; and avoiding trusting user controlled inputs.