2024

2023

2022

2021

2020

CVE-2020-12784 (v3: 5.3) 11 May 2020
cPanel before 86.0.14 allows remote attackers to trigger a bandwidth suspension via mail log strings (SEC-505).
CVE-2020-10115 (v3: 7.2) 17 Mar 2020
cPanel before 84.0.20, when PowerDNS is used, allows arbitrary code execution as root via dnsadmin. (SEC-537).
CVE-2020-10122 (v3: 6.5) 17 Mar 2020
cPanel before 84.0.20 allows a webmail or demo account to delete arbitrary files (SEC-547).

2019

CVE-2019-20494 (v3: 3.3) 17 Mar 2020
In cPanel before 82.0.18, Cpanel::Rand::Get can produce a predictable series of numbers (SEC-525).
CVE-2019-14393 (v3: 5.3) 30 Jul 2019
cPanel before 80.0.5 allows local code execution in the context of a different cPanel account because of insecure cpphp execution (SEC-486).
CVE-2019-14396 (v3: 3.3) 30 Jul 2019
API Analytics adminbin in cPanel before 80.0.5 allows spoofed insertions of log data (SEC-495).
CVE-2019-14398 (v3: 8.8) 30 Jul 2019
cPanel before 80.0.5 allows demo accounts to execute arbitrary code via ajax_maketext_syntax_util.pl (SEC-498).
CVE-2019-14401 (v3: 8.8) 30 Jul 2019
cPanel before 78.0.18 allows code execution via an addforward API1 call (SEC-480).
CVE-2019-14402 (v3: 3.3) 30 Jul 2019
cPanel before 78.0.18 unsafely determines terminal capabilities by using infocmp (SEC-481).
CVE-2019-14405 (v3: 8.8) 30 Jul 2019
cPanel before 78.0.18 allows demo accounts to execute code via securitypolicy.cg (SEC-487).
CVE-2019-14408 (v3: 4.3) 30 Jul 2019
cPanel before 78.0.2 allows a demo account to link with an OpenID provider (SEC-460).
CVE-2019-14411 (v3: 5.3) 30 Jul 2019
cPanel before 78.0.2 does not properly restrict demo accounts from writing to files via the DCV UAPI (SEC-473).
CVE-2019-14413 (v3: 4.3) 30 Jul 2019
cPanel before 78.0.2 allows certain file-write operations as shared users during connection resets (SEC-476).
CVE-2019-14414 (v3: 3.3) 30 Jul 2019
In cPanel before 78.0.2, a Userdata cache temporary file can conflict with domains (SEC-478).
CVE-2019-14392 (v3: 8.8) 30 Jul 2019
cPanel before 80.0.22 allows remote code execution by a demo account because of incorrect URI dispatching (SEC-501).
CVE-2019-14388 (v3: 7.5) 30 Jul 2019
cPanel before 82.0.2 allows unauthenticated file creation because Exim log parsing is mishandled (SEC-507).

2018

CVE-2018-20912 (v3: 6.3) 1 Aug 2019
cPanel before 70.0.23 allows demo accounts to execute code via awstats (SEC-362).
CVE-2018-20917 (v3: 5.5) 1 Aug 2019
cPanel before 70.0.23 allows any user to disable Solr (SEC-371).
CVE-2018-20891 (v3: 5.5) 1 Aug 2019
cPanel before 74.0.0 allows arbitrary file-read operations during File Restoration (SEC-436).
CVE-2018-20893 (v3: 2.3) 1 Aug 2019
cPanel before 74.0.0 allows file-rename operations during account renames (SEC-442).
CVE-2018-20895 (v3: 7.2) 1 Aug 2019
In cPanel before 71.9980.37, API tokens retain ACLs after those ACLs are removed from the corresponding accounts (SEC-393).
CVE-2018-20897 (v3: 2.8) 1 Aug 2019
cPanel before 71.9980.37 allows arbitrary file-unlink operations via the cPAddons moderation system (SEC-395).
CVE-2018-20873 (v3: 3.3) 1 Aug 2019
cPanel before 74.0.8 allows local users to disable the ClamAV daemon (SEC-409).
CVE-2018-20879 (v3: 6.3) 1 Aug 2019
cPanel before 74.0.8 allows demo accounts to execute arbitrary code via the Fileman::viewfile API (SEC-444).
CVE-2018-20882 (v3: 6.8) 1 Aug 2019
cPanel before 74.0.8 allows arbitrary file-write operations in the context of the root account during WHM Force Password Change (SEC-447).
CVE-2018-20883 (v3: 6.5) 1 Aug 2019
cPanel before 74.0.8 allows FTP access during account suspension (SEC-449).
CVE-2018-20863 (v3: 9.8) 30 Jul 2019
cPanel before 76.0.8 allows remote attackers to execute arbitrary code via mailing-list attachments (SEC-452).
CVE-2018-20864 (v3: 6.5) 30 Jul 2019
cPanel before 76.0.8 allows a persistent Virtual FTP accounts after removal of its associated domain (SEC-454).
CVE-2018-20869 (v3: 7.8) 30 Jul 2019
cPanel before 76.0.8 allows arbitrary code execution in the context of the root account via dnssec adminbin (SEC-465).

2017

CVE-2017-18469 (v3: 6.3) 5 Aug 2019
cPanel before 62.0.17 allows demo accounts to execute code via an NVData_fetchinc API call (SEC-233).
CVE-2017-18475 (v3: 8.8) 5 Aug 2019
In cPanel before 62.0.4, Exim piped filters ran in the context of an incorrect user account when delivering to a system user (SEC-204).
CVE-2017-18482 (v3: 6.5) 5 Aug 2019
cPanel before 62.0.4 allows resellers to use the WHM enqueue_transfer_item API for queueing non-rearrange modules (SEC-213).
CVE-2017-18464 (v3: 4.9) 5 Aug 2019
cPanel before 62.0.17 allows arbitrary file-overwrite operations via the WHM Zone Template editor (SEC-226).
CVE-2017-18465 (v3: 4.4) 5 Aug 2019
cPanel before 62.0.17 does not have a sufficient list of reserved usernames (SEC-227).
CVE-2017-18466 (v3: 2.7) 5 Aug 2019
cPanel before 62.0.17 does not properly recognize domain ownership during addition of parked domains to a mail configuration (SEC-228).
CVE-2017-18439 (v3: 6.3) 2 Aug 2019
cPanel before 64.0.21 allows demo accounts to execute code via an ImageManager_dimensions API call (SEC-243).
CVE-2017-18440 (v3: 4.3) 2 Aug 2019
cPanel before 64.0.21 allows demo users to execute traceroute via api2 (SEC-244).
CVE-2017-18443 (v3: 5.8) 2 Aug 2019
cPanel before 64.0.21 allows demo and suspended accounts to use SSH port forwarding (SEC-247).
CVE-2017-18444 (v3: 5.3) 2 Aug 2019
cPanel before 64.0.21 allows demo accounts to execute SSH API commands (SEC-248).
CVE-2017-18447 (v3: 6.3) 2 Aug 2019
cPanel before 64.0.21 allows demo accounts to execute code via the ClamScanner_getsocket API (SEC-251).
CVE-2017-18449 (v3: 5.5) 2 Aug 2019
cPanel before 64.0.21 allows certain file-rename operations in the context of the root account via scripts/convert_roundcube_mysql2sqlite (SEC-254).
CVE-2017-18452 (v3: 6.7) 2 Aug 2019
cPanel before 64.0.21 allows code execution via Rails configuration files (SEC-259).
CVE-2017-18453 (v3: 4.9) 2 Aug 2019
cPanel before 64.0.21 does not preserve supplemental groups across account renames (SEC-260).
CVE-2017-18458 (v3: 3.3) 2 Aug 2019
cPanel before 62.0.17 allows file overwrite when renaming an account (SEC-219).
CVE-2017-18459 (v3: 7.8) 2 Aug 2019
cPanel before 62.0.17 allows arbitrary code execution during account modification (SEC-220).
CVE-2017-18460 (v3: 7.8) 2 Aug 2019
cPanel before 62.0.17 allows arbitrary code execution during automatic SSL installation (SEC-221).
CVE-2017-18461 (v3: 4.3) 2 Aug 2019
cPanel before 62.0.17 allows does not preserve security policy questions across an account rename (SEC-223).
CVE-2017-18463 (v3: 7.8) 2 Aug 2019
cPanel before 62.0.17 allows code execution in the context of the root account via a long DocumentRoot path (SEC-225).
CVE-2017-18430 (v3: 4.7) 2 Aug 2019
In cPanel before 66.0.2, user and group ownership may be incorrectly set when using reassign_post_terminate_cruft (SEC-294).
CVE-2017-18431 (v3: 7.5) 2 Aug 2019
cPanel before 66.0.1 does not reliably perform suspend/unsuspend operations on accounts (CPANEL-13941).
CVE-2017-18433 (v3: 8.8) 2 Aug 2019
cPanel before 64.0.21 allows code execution by webmail and demo accounts via a store_filter API call (SEC-236).
CVE-2017-18434 (v3: 7.8) 2 Aug 2019
cPanel before 64.0.21 allows code execution in the context of the root account via a SET_VHOST_LANG_PACKAGE multilang adminbin call (SEC-237).
CVE-2017-18392 (v3: 2) 2 Aug 2019
cPanel before 68.0.15 allows collisions because PostgreSQL databases can be assigned to multiple accounts (SEC-325).
CVE-2017-18393 (v3: 2.7) 2 Aug 2019
cPanel before 68.0.15 does not block a username of postmaster, which might allow reception of private e-mail (SEC-326).
CVE-2017-18394 (v3: 2.7) 2 Aug 2019
cPanel before 68.0.15 does not have a sufficient list of reserved usernames (SEC-327).
CVE-2017-18395 (v3: 2.7) 2 Aug 2019
cPanel before 68.0.15 does not block a username of ssl (SEC-328).
CVE-2017-18398 (v3: 3.8) 2 Aug 2019
DnsUtils in cPanel before 68.0.15 allows zone creation for hostname and account subdomains (SEC-331).
CVE-2017-18401 (v3: 2.7) 2 Aug 2019
cPanel before 68.0.15 allows user accounts to be partially created with invalid username formats (SEC-334).
CVE-2017-18405 (v3: 5.5) 2 Aug 2019
cPanel before 68.0.15 allows arbitrary file-read operations because of the backup .htaccess modification logic (SEC-345).
CVE-2017-18409 (v3: 6.5) 2 Aug 2019
In cPanel before 67.9999.103, the backup interface could return a backup archive with all MySQL databases (SEC-283).
CVE-2017-18410 (v3: 6.5) 2 Aug 2019
In cPanel before 67.9999.103, a user account's backup archive could contain all MySQL databases on the server (SEC-284).
CVE-2017-18411 (v3: 6.8) 2 Aug 2019
The "addon domain conversion" feature in cPanel before 67.9999.103 can copy all MySQL databases to the new account (SEC-285).
CVE-2017-18415 (v3: 7.8) 2 Aug 2019
cPanel before 67.9999.103 allows code execution in the context of the mailman account because of incorrect environment-variable filtering (SEC-302).
CVE-2017-18382 (v3: 2.7) 2 Aug 2019
cPanel before 68.0.15 allows use of an unreserved e-mail address in DNS zone SOA records (SEC-306).
CVE-2017-18388 (v3: 7.8) 2 Aug 2019
cPanel before 68.0.15 can perform unsafe file operations because Jailshell does not set the umask (SEC-315).

2016

CVE-2016-10800 (v3: 7.8) 7 Aug 2019
cPanel before 58.0.4 allows demo-mode escape via Site Templates and Boxtrapper API calls (SEC-138).
CVE-2016-10804 (v3: 8.1) 7 Aug 2019
The SQLite journal feature in cPanel before 57.9999.54 allows arbitrary file-overwrite operations during Horde Restore (SEC-58).
CVE-2016-10805 (v3: 8.8) 7 Aug 2019
cPanel before 57.9999.54 allows demo accounts to execute arbitrary code via ajax_maketext_syntax_util.pl (SEC-109).
CVE-2016-10807 (v3: 6.5) 7 Aug 2019
cPanel before 57.9999.54 allows certain denial-of-service outcomes via /scripts/killpvhost (SEC-112).
CVE-2016-10808 (v3: 8.8) 7 Aug 2019
In cPanel before 57.9999.54, /scripts/addpop and /scripts/delpop exposed TTYs (SEC-113).
CVE-2016-10812 (v3: 8.8) 7 Aug 2019
In cPanel before 57.9999.54, /scripts/enablefileprotect exposed TTYs (SEC-117).
CVE-2016-10793 (v3: 8.8) 6 Aug 2019
cPanel before 59.9999.145 allows arbitrary code execution due to an incorrect #! in Mail::SPF scripts (SEC-152).
CVE-2016-10787 (v3: 8.1) 6 Aug 2019
The Host Access Control feature in cPanel before 60.0.25 mishandles actionless host.deny entries (SEC-187).
CVE-2016-10788 (v3: 8.8) 6 Aug 2019
cPanel before 60.0.25 allows arbitrary code execution via Maketext in PostgreSQL adminbin (SEC-188).
CVE-2016-10789 (v3: 8.8) 6 Aug 2019
cPanel before 60.0.25 allows code execution via the cpsrvd 403 error response handler (SEC-191).
CVE-2016-10768 (v3: 6.5) 5 Aug 2019
cPanel before 60.0.25 allows file-overwrite operations during preparation for MySQL upgrades (SEC-161).
CVE-2016-10770 (v3: 6.5) 5 Aug 2019
cPanel before 60.0.25 allows arbitrary file-overwrite operations during a Roundcube update (SEC-164).
CVE-2016-10771 (v3: 8.1) 5 Aug 2019
cPanel before 60.0.25 allows file-create and file-chmod operations during ModSecurity Audit logfile processing (SEC-165).
CVE-2016-10775 (v3: 6.5) 5 Aug 2019
cPanel before 60.0.25 allows arbitrary file-chown operations via reassign_post_terminate_cruft (SEC-173).
CVE-2016-10814 (v3: 8.8) 1 Aug 2019
cPanel before 57.9999.54 allows demo-mode escape via show_template.stor (SEC-119).
CVE-2016-10816 (v3: 8.8) 1 Aug 2019
cPanel before 57.9999.54 allows Webmail accounts to execute arbitrary code through forwarders (SEC-121).
CVE-2016-10823 (v3: 8.8) 1 Aug 2019
cPanel before 55.9999.141 allows arbitrary code execution in the context of the root account because of MakeText interpolation (SEC-89).
CVE-2016-10824 (v3: 9.8) 1 Aug 2019
cPanel before 55.9999.141 allows unauthenticated arbitrary code execution via DNS NS entry poisoning (SEC-90).
CVE-2016-10842 (v3: 6.5) 1 Aug 2019
cPanel before 11.54.0.4 allows certain file-read operations in bin/setup_global_spam_filter.pl (SEC-74).
CVE-2016-10858 (v3: 9.8) 1 Aug 2019
cPanel before 11.54.0.0 allows unauthenticated arbitrary code execution via DNS NS entry poisoning (SEC-64).
CVE-2016-10850 (v3: 8.8) 1 Aug 2019
cPanel before 11.54.0.4 allows arbitrary code execution via scripts/synccpaddonswithsqlhost (SEC-83).
CVE-2016-10855 (v3: 9.8) 1 Aug 2019
cPanel before 11.54.0.4 allows unauthenticated arbitrary code execution via cpsrvd (SEC-91).

2015