2024

2023

2022

2021

2020

2019

CVE-2019-20495 (v3: 6.5) 17 Mar 2020
cPanel before 82.0.18 allows attackers to read an arbitrary database via MySQL dump streaming (SEC-531).
CVE-2019-14394 (v3: 5.5) 30 Jul 2019
cPanel before 80.0.5 allows unsafe file operations in the context of the root account via the fetch_ssl_certificates_for_fqdns API (SEC-489).
CVE-2019-14395 (v3: 3.3) 30 Jul 2019
cPanel before 80.0.5 uses world-readable permissions for the Queueprocd log (SEC-494).
CVE-2019-14399 (v3: 7.1) 30 Jul 2019
The SSL certificate-storage feature in cPanel before 78.0.18 allows unsafe file operations in the context of the root account (SEC-477).
CVE-2019-14404 (v3: 5.5) 30 Jul 2019
cPanel before 78.0.18 allows certain file-read operations in the context of the root account via the Exim virtual_user_spam router (SEC-484).
CVE-2019-14407 (v3: 2.7) 30 Jul 2019
cPanel before 78.0.2 reveals internal data to OpenID providers (SEC-415).
CVE-2019-14409 (v3: 5.5) 30 Jul 2019
cPanel before 78.0.2 allows arbitrary file-read operations via Passenger adminbin (SEC-466).

2018

CVE-2018-20942 (v3: 2.5) 1 Aug 2019
cPanel before 68.0.27 allows attackers to read root's crontab file during a short time interval upon configuring crontab (SEC-351).
CVE-2018-20943 (v3: 2.5) 1 Aug 2019
cPanel before 68.0.27 allows attackers to read root's crontab file during a short time interval upon a post-update task (SEC-352).
CVE-2018-20944 (v3: 3.3) 1 Aug 2019
cPanel before 68.0.27 allows attackers to read a copy of httpd.conf that is created during a syntax test (SEC-353).
CVE-2018-20946 (v3: 3.3) 1 Aug 2019
cPanel before 68.0.27 allows attackers to read zone information because a world-readable archive is created by the archive_sync_zones script (SEC-355).
CVE-2018-20952 (v3: 6.5) 1 Aug 2019
cPanel before 68.0.27 creates world-readable files during use of WHM Apache Includes Editor (SEC-388).
CVE-2018-20939 (v3: 3.3) 1 Aug 2019
cPanel before 68.0.27 allows a user to discover contents of directories (that are not owned by that user) by leveraging backups (SEC-339).
CVE-2018-20941 (v3: 5.6) 1 Aug 2019
cPanel before 68.0.27 allows arbitrary file-read operations via restore adminbin (SEC-349).
CVE-2018-20902 (v3: 5.5) 1 Aug 2019
cPanel before 71.9980.37 allows attackers to read root's crontab file by leveraging ClamAV installation (SEC-408).
CVE-2018-20913 (v3: 4.9) 1 Aug 2019
cPanel before 70.0.23 allows attackers to read the root accesshash via the WHM /cgi/trustclustermaster.cgi (SEC-364).
CVE-2018-20889 (v3: 4.4) 1 Aug 2019
cPanel before 74.0.0 allows certain file-read operations via password file caching (SEC-425).
CVE-2018-20894 (v3: 3.3) 1 Aug 2019
cPanel before 74.0.0 makes web-site contents accessible to other local users via Git repositories (SEC-443).
CVE-2018-20870 (v3: 5.5) 30 Jul 2019
The WebDAV transport feature in cPanel before 76.0.8 enables debug logging (SEC-467).

2017

CVE-2017-18474 (v3: 6.5) 5 Aug 2019
cPanel before 62.0.4 allows arbitrary file-read operations via Exim valiases (SEC-201).
CVE-2017-18478 (v3: 6.5) 5 Aug 2019
In cPanel before 62.0.4 incorrect ACL checks could occur in xml-api for Rearrange Account actions (SEC-207).
CVE-2017-18436 (v3: 3.5) 2 Aug 2019
cPanel before 64.0.21 allows demo accounts to read files via a Fileman::getfileactions API2 call (SEC-239).
CVE-2017-18424 (v3: 3.3) 2 Aug 2019
In cPanel before 66.0.2, the Apache HTTP Server configuration file is changed to world-readable when rebuilt (SEC-274).
CVE-2017-18428 (v3: 2.5) 2 Aug 2019
In cPanel before 66.0.2, Apache HTTP Server domlogs become temporarily world-readable during log processing (SEC-290).
CVE-2017-18432 (v3: 7.8) 2 Aug 2019
In cPanel before 64.0.21, Horde MySQL to SQLite conversion can leak a database password (SEC-234).
CVE-2017-18396 (v3: 5.5) 2 Aug 2019
cPanel before 68.0.15 allows arbitrary file-read operations via Exim vdomainaliases (SEC-329).
CVE-2017-18391 (v3: 2.5) 2 Aug 2019
cPanel before 68.0.15 allows attackers to read backup files because they are world-readable during a short time interval (SEC-323).

2016

CVE-2016-10809 (v3: 8.8) 7 Aug 2019
In cPanel before 57.9999.54, /scripts/checkinfopages exposed a TTY to an unprivileged process (SEC-114).
CVE-2016-10810 (v3: 8.8) 7 Aug 2019
In cPanel before 57.9999.54, /scripts/maildir_converter exposed a TTY to an unprivileged process (SEC-115).
CVE-2016-10811 (v3: 8.8) 7 Aug 2019
In cPanel before 57.9999.54, /scripts/unsuspendacct exposed TTYs (SEC-116).
CVE-2016-10794 (v3: 6.5) 6 Aug 2019
cPanel before 59.9999.145 allows arbitrary file-read operations because of a multipart form processing error (SEC-154).
CVE-2016-10797 (v3: 4.3) 6 Aug 2019
cPanel before 58.0.4 allows WHM "Purchase and Install an SSL Certificate" page visitors to list all server domains (SEC-133).
CVE-2016-10785 (v3: 6.5) 6 Aug 2019
cPanel before 60.0.25 allows attackers to discover file contents during file copy operations (SEC-185).
CVE-2016-10786 (v3: 6.5) 6 Aug 2019
cPanel before 60.0.25 allows members of the nobody group to read Apache HTTP Server SSL keys (SEC-186).
CVE-2016-10790 (v3: 7.5) 6 Aug 2019
cPanel before 60.0.25 does not use TLS for HTTP POSTs to listinput.cpanel.net (SEC-192).
CVE-2016-10815 (v3: 6.5) 1 Aug 2019
cPanel before 57.9999.54 allows arbitrary file-read operations for Webmail accounts via Branding APIs (SEC-120).
CVE-2016-10844 (v3: 6.5) 1 Aug 2019
The chcpass script in cPanel before 11.54.0.4 reveals a password hash (SEC-77).

2015