cPanel before 82.0.18 allows self-XSS because JSON string escaping is mishandled (SEC-520).
cPanel before 82.0.18 allows authentication bypass because of misparsing of the format of the password file (SEC-516).
cPanel before 82.0.18 allows authentication bypass because webmail usernames are processed inconsistently (SEC-499).
cPanel before 82.0.18 allows attackers to leverage virtual mail accounts in order to bypass account suspensions (SEC-508).
The clientconf.html and detailbw.html pages in x3 in cPanel & WHM 11.34.0 (build 8) have a XSS vulnerability.
Cross-site Scripting (XSS) in cPanel WebHost Manager (WHM) 11.34.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
cPanel before 82.0.15 allows self XSS in the WHM Update Preferences interface (SEC-528).
cPanel before 82.0.15 allows self stored XSS in the WHM SSL Storage Manager interface (SEC-527).
cPanel before 82.0.15 allows self XSS in the SSL Key Delete interface (SEC-526).
cPanel before 82.0.15 allows self XSS in LiveAPI example scripts (SEC-524).
cPanel before 82.0.15 allows self XSS in the SSL Certificate Upload interface (SEC-521).
cPanel before 82.0.15 allows API token credentials to persist after an account has been renamed or terminated (SEC-517).
In cPanel before 57.9999.54, /scripts/enablefileprotect exposed TTYs (SEC-117).
In cPanel before 57.9999.54, /scripts/unsuspendacct exposed TTYs (SEC-116).
In cPanel before 57.9999.54, /scripts/maildir_converter exposed a TTY to an unprivileged process (SEC-115).
In cPanel before 57.9999.54, /scripts/checkinfopages exposed a TTY to an unprivileged process (SEC-114).
In cPanel before 57.9999.54, /scripts/addpop and /scripts/delpop exposed TTYs (SEC-113).
cPanel before 57.9999.54 allows certain denial-of-service outcomes via /scripts/killpvhost (SEC-112).
cPanel before 57.9999.54 allows self XSS on the Paper Lantern Landing Page (SEC-110).
cPanel before 57.9999.54 allows demo accounts to execute arbitrary code via ajax_maketext_syntax_util.pl (SEC-109).
The SQLite journal feature in cPanel before 57.9999.54 allows arbitrary file-overwrite operations during Horde Restore (SEC-58).
cPanel before 57.9999.105 allows newline injection via LOC records (CPANEL-6923).
cPanel before 58.0.4 allows code execution in the context of other user accounts through the PHP CGI handler (SEC-142).
cPanel before 58.0.4 has improper session handling for shared users (SEC-139).
cPanel before 58.0.4 allows demo-mode escape via Site Templates and Boxtrapper API calls (SEC-138).
cPanel before 58.0.4 does not set the Pear tmp directory during a PHP installation (SEC-137).
cPanel before 58.0.4 allows a file-ownership change (to nobody) via rearrangeacct (SEC-134).
cPanel before 58.0.4 allows WHM "Purchase and Install an SSL Certificate" page visitors to list all server domains (SEC-133).
cPanel before 58.0.4 initially uses weak permissions for Apache HTTP Server log files (SEC-130).
cPanel before 59.9999.145 allows stored XSS in the WHM tail_upcp2.cgi interface (SEC-156).
cPanel before 59.9999.145 allows arbitrary file-read operations because of a multipart form processing error (SEC-154).
cPanel before 59.9999.145 allows arbitrary code execution due to an incorrect #! in Mail::SPF scripts (SEC-152).
cPanel before 59.9999.145 allows code execution in the context of other accounts via mailman list archives (SEC-141).
cPanel before 60.0.15 does not ensure that system accounts lack a valid password, so that logins are impossible (CPANEL-9559).
cPanel before 60.0.25 does not use TLS for HTTP POSTs to listinput.cpanel.net (SEC-192).
cPanel before 60.0.25 allows code execution via the cpsrvd 403 error response handler (SEC-191).
cPanel before 60.0.25 allows arbitrary code execution via Maketext in PostgreSQL adminbin (SEC-188).
The Host Access Control feature in cPanel before 60.0.25 mishandles actionless host.deny entries (SEC-187).
cPanel before 60.0.25 allows members of the nobody group to read Apache HTTP Server SSL keys (SEC-186).
cPanel before 60.0.25 allows attackers to discover file contents during file copy operations (SEC-185).
cPanel before 60.0.25 allows self XSS in the alias upload interface (SEC-184).
cPanel before 60.0.25 allows self stored XSS in SSL_listkeys (SEC-182).
cPanel before 60.0.25 allows self stored XSS in postgres API1 listdbs (SEC-181).
cPanel before 60.0.25 allows self XSS in the UI_confirm API (SEC-180).
cPanel before 60.0.25 allows stored XSS in the ftp_sessions API (SEC-180).
cPanel before 60.0.25 allows stored XSS in api1_listautoresponders (SEC-179).
cPanel before 60.0.25 allows self XSS in WHM Tweak Settings for autodiscover_host (SEC-177).
cPanel before 60.0.25 allows self stored XSS in the listftpstable API (SEC-178).
cPanel before 60.0.25 allows stored XSS during the homedir removal phase of WHM Account termination (SEC-174).
cPanel before 60.0.25 allows arbitrary file-chown operations via reassign_post_terminate_cruft (SEC-173).
cPanel before 60.0.25 allows self XSS in the tail_ea4_migration.cgi interface (SEC-172).