2020

CVE-2020-12784 (v3: 5.3) 11 May 2020
cPanel before 86.0.14 allows remote attackers to trigger a bandwidth suspension via mail log strings (SEC-505).
CVE-2020-12785 (v3: 8.1) 11 May 2020
cPanel before 86.0.14 allows attackers to obtain access to the current working directory via the account backup feature (SEC-540).
CVE-2020-10113 (v3: 6.1) 17 Mar 2020
cPanel before 84.0.20 allows self XSS via a temporary character-set specification (SEC-515).
CVE-2020-10114 (v3: 6.1) 17 Mar 2020
cPanel before 84.0.20 allows stored self-XSS via the HTML file editor (SEC-535).
CVE-2020-10115 (v3: 7.2) 17 Mar 2020
cPanel before 84.0.20, when PowerDNS is used, allows arbitrary code execution as root via dnsadmin. (SEC-537).
CVE-2020-10116 (v3: 5.3) 17 Mar 2020
cPanel before 84.0.20 allows attackers to bypass intended restrictions on features and demo accounts via WebDisk UAPI calls (SEC-541).
CVE-2020-10117 (v3: 9.1) 17 Mar 2020
cPanel before 84.0.20 mishandles enforcement of demo checks in the Market UAPI namespace (SEC-542).
CVE-2020-10118 (v3: 9.1) 17 Mar 2020
cPanel before 84.0.20 allows a demo account to modify files via Branding API calls (SEC-543).
CVE-2020-10119 (v3: 9.8) 17 Mar 2020
cPanel before 84.0.20 allows a demo account to achieve remote code execution via a cpsrvd rsync shell (SEC-544).
CVE-2020-10120 (v3: 7.2) 17 Mar 2020
cPanel before 84.0.20 allows resellers to achieve remote code execution as root via a cpsrvd rsync shell (SEC-545).
CVE-2020-10121 (v3: 9.8) 17 Mar 2020
cPanel before 84.0.20 allows a demo account to achieve code execution via PassengerApps APIs (SEC-546).
CVE-2020-10122 (v3: 6.5) 17 Mar 2020
cPanel before 84.0.20 allows a webmail or demo account to delete arbitrary files (SEC-547).

2019

CVE-2019-20490 (v3: 8.8) 17 Mar 2020
cPanel before 82.0.18 allows authentication bypass because webmail usernames are processed inconsistently (SEC-499).
CVE-2019-20492 (v3: 8.8) 17 Mar 2020
cPanel before 82.0.18 allows authentication bypass because of misparsing of the format of the password file (SEC-516).
CVE-2019-20493 (v3: 6.1) 17 Mar 2020
cPanel before 82.0.18 allows self-XSS because JSON string escaping is mishandled (SEC-520).
CVE-2019-20494 (v3: 3.3) 17 Mar 2020
In cPanel before 82.0.18, Cpanel::Rand::Get can produce a predictable series of numbers (SEC-525).
CVE-2019-20495 (v3: 6.5) 17 Mar 2020
cPanel before 82.0.18 allows attackers to read an arbitrary database via MySQL dump streaming (SEC-531).
CVE-2019-20496 (v3: 5.5) 17 Mar 2020
cPanel before 82.0.18 allows attackers to conduct arbitrary chown operations as root during log processing (SEC-532).
CVE-2019-20497 (v3: 5.4) 17 Mar 2020
cPanel before 82.0.18 allows stored XSS via WHM Backup Restoration (SEC-533).
CVE-2019-20498 (v3: 9.8) 17 Mar 2020
cPanel before 82.0.18 allows WebDAV authentication bypass because the connection-sharing logic is incorrect (SEC-534).
CVE-2019-20491 (v3: 5.4) 16 Mar 2020
cPanel before 82.0.18 allows attackers to leverage virtual mail accounts in order to bypass account suspensions (SEC-508).
CVE-2019-17375 (v3: 8.8) 9 Oct 2019
cPanel before 82.0.15 allows API token credentials to persist after an account has been renamed or terminated (SEC-517).
CVE-2019-17376 (v3: 6.1) 9 Oct 2019
cPanel before 82.0.15 allows self XSS in the SSL Certificate Upload interface (SEC-521).
CVE-2019-17377 (v3: 6.1) 9 Oct 2019
cPanel before 82.0.15 allows self XSS in LiveAPI example scripts (SEC-524).
CVE-2019-17378 (v3: 6.1) 9 Oct 2019
cPanel before 82.0.15 allows self XSS in the SSL Key Delete interface (SEC-526).
CVE-2019-17379 (v3: 6.1) 9 Oct 2019
cPanel before 82.0.15 allows self stored XSS in the WHM SSL Storage Manager interface (SEC-527).
CVE-2019-17380 (v3: 6.1) 9 Oct 2019
cPanel before 82.0.15 allows self XSS in the WHM Update Preferences interface (SEC-528).
CVE-2019-14393 (v3: 5.3) 30 Jul 2019
cPanel before 80.0.5 allows local code execution in the context of a different cPanel account because of insecure cpphp execution (SEC-486).
CVE-2019-14394 (v3: 5.5) 30 Jul 2019
cPanel before 80.0.5 allows unsafe file operations in the context of the root account via the fetch_ssl_certificates_for_fqdns API (SEC-489).
CVE-2019-14395 (v3: 3.3) 30 Jul 2019
cPanel before 80.0.5 uses world-readable permissions for the Queueprocd log (SEC-494).
CVE-2019-14396 (v3: 3.3) 30 Jul 2019
API Analytics adminbin in cPanel before 80.0.5 allows spoofed insertions of log data (SEC-495).
CVE-2019-14397 (v3: 5.3) 30 Jul 2019
cPanel before 80.0.5 allows demo accounts to modify arbitrary files via the extractfile API1 call (SEC-496).
CVE-2019-14398 (v3: 8.8) 30 Jul 2019
cPanel before 80.0.5 allows demo accounts to execute arbitrary code via ajax_maketext_syntax_util.pl (SEC-498).
CVE-2019-14399 (v3: 7.1) 30 Jul 2019
The SSL certificate-storage feature in cPanel before 78.0.18 allows unsafe file operations in the context of the root account (SEC-477).
CVE-2019-14401 (v3: 8.8) 30 Jul 2019
cPanel before 78.0.18 allows code execution via an addforward API1 call (SEC-480).
CVE-2019-14402 (v3: 3.3) 30 Jul 2019
cPanel before 78.0.18 unsafely determines terminal capabilities by using infocmp (SEC-481).
CVE-2019-14403 (v3: 4.3) 30 Jul 2019
cPanel before 78.0.18 offers an open mail relay because of incorrect domain-redirect routing (SEC-483).
CVE-2019-14404 (v3: 5.5) 30 Jul 2019
cPanel before 78.0.18 allows certain file-read operations in the context of the root account via the Exim virtual_user_spam router (SEC-484).
CVE-2019-14405 (v3: 8.8) 30 Jul 2019
cPanel before 78.0.18 allows demo accounts to execute code via securitypolicy.cg (SEC-487).
CVE-2019-14406 (v3: 6.1) 30 Jul 2019
cPanel before 78.0.18 has stored XSS in the BoxTrapper Queue Listing (SEC-493).
CVE-2019-14407 (v3: 2.7) 30 Jul 2019
cPanel before 78.0.2 reveals internal data to OpenID providers (SEC-415).
CVE-2019-14408 (v3: 4.3) 30 Jul 2019
cPanel before 78.0.2 allows a demo account to link with an OpenID provider (SEC-460).
CVE-2019-14409 (v3: 5.5) 30 Jul 2019
cPanel before 78.0.2 allows arbitrary file-read operations via Passenger adminbin (SEC-466).
CVE-2019-14410 (v3: 3.3) 30 Jul 2019
Maketext in cPanel before 78.0.2 allows format-string injection in the Email store_filter UAPI (SEC-472).
CVE-2019-14411 (v3: 5.3) 30 Jul 2019
cPanel before 78.0.2 does not properly restrict demo accounts from writing to files via the DCV UAPI (SEC-473).
CVE-2019-14412 (v3: 3.3) 30 Jul 2019
Maketext in cPanel before 78.0.2 allows format-string injection in the DCV check_domains_via_dns UAPI (SEC-474).
CVE-2019-14413 (v3: 4.3) 30 Jul 2019
cPanel before 78.0.2 allows certain file-write operations as shared users during connection resets (SEC-476).
CVE-2019-14414 (v3: 3.3) 30 Jul 2019
In cPanel before 78.0.2, a Userdata cache temporary file can conflict with domains (SEC-478).
CVE-2019-14392 (v3: 8.8) 30 Jul 2019
cPanel before 80.0.22 allows remote code execution by a demo account because of incorrect URI dispatching (SEC-501).
CVE-2019-14386 (v3: 5.4) 30 Jul 2019
cPanel before 82.0.2 has stored XSS in the WHM Tomcat Manager interface (SEC-504).
CVE-2019-14387 (v3: 6.1) 30 Jul 2019
cPanel before 82.0.2 has Self XSS in the cPanel and webmail master templates (SEC-506).
CVE-2019-14388 (v3: 7.5) 30 Jul 2019
cPanel before 82.0.2 allows unauthenticated file creation because Exim log parsing is mishandled (SEC-507).
CVE-2019-14390 (v3: 5.4) 30 Jul 2019
cPanel before 82.0.2 has stored XSS in the WHM Modify Account interface (SEC-512).

2018

CVE-2018-20942 (v3: 2.5) 1 Aug 2019
cPanel before 68.0.27 allows attackers to read root's crontab file during a short time interval upon configuring crontab (SEC-351).
CVE-2018-20943 (v3: 2.5) 1 Aug 2019
cPanel before 68.0.27 allows attackers to read root's crontab file during a short time interval upon a post-update task (SEC-352).
CVE-2018-20944 (v3: 3.3) 1 Aug 2019
cPanel before 68.0.27 allows attackers to read a copy of httpd.conf that is created during a syntax test (SEC-353).
CVE-2018-20945 (v3: 5.7) 1 Aug 2019
bin/csvprocess in cPanel before 68.0.27 allows insecure file operations (SEC-354).
CVE-2018-20946 (v3: 3.3) 1 Aug 2019
cPanel before 68.0.27 allows attackers to read zone information because a world-readable archive is created by the archive_sync_zones script (SEC-355).
CVE-2018-20947 (v3: 5.5) 1 Aug 2019
cPanel before 68.0.27 allows certain file-write operations via the telnetcrt script (SEC-356).
CVE-2018-20948 (v3: 6.1) 1 Aug 2019
cPanel before 68.0.27 allows self XSS in cPanel Backup Restoration (SEC-383).
CVE-2018-20949 (v3: 6.1) 1 Aug 2019
cPanel before 68.0.27 allows self XSS in WHM Apache Configuration Include Editor (SEC-385).
CVE-2018-20950 (v3: 6.1) 1 Aug 2019
cPanel before 68.0.27 allows self stored XSS in WHM Account Transfer (SEC-386).
CVE-2018-20951 (v3: 6.1) 1 Aug 2019
cPanel before 68.0.27 allows self XSS in WHM Spamd Startup Config (SEC-387).
CVE-2018-20952 (v3: 6.5) 1 Aug 2019
cPanel before 68.0.27 creates world-readable files during use of WHM Apache Includes Editor (SEC-388).
CVE-2018-20953 (v3: 6.1) 1 Aug 2019
cPanel before 68.0.27 allows self XSS in the WHM listips interface (SEC-389).
CVE-2018-20937 (v3: 4.3) 1 Aug 2019
cPanel before 68.0.27 does not validate database and dbuser names during renames (SEC-321).
CVE-2018-20938 (v3: 2.7) 1 Aug 2019
cPanel before 68.0.27 does not enforce ownership during addpkgext and delpkgext WHM API calls (SEC-324).
CVE-2018-20939 (v3: 3.3) 1 Aug 2019
cPanel before 68.0.27 allows a user to discover contents of directories (that are not owned by that user) by leveraging backups (SEC-339).
CVE-2018-20940 (v3: 3.3) 1 Aug 2019
cPanel before 68.0.27 allows attackers to read root's crontab file during a short time interval upon the enabling of backups (SEC-342).
CVE-2018-20941 (v3: 5.6) 1 Aug 2019
cPanel before 68.0.27 allows arbitrary file-read operations via restore adminbin (SEC-349).
CVE-2018-20924 (v3: 5.5) 1 Aug 2019
cPanel before 70.0.23 allows arbitrary file-read and file-unlink operations via WHM style uploads (SEC-378).
CVE-2018-20925 (v3: 6.7) 1 Aug 2019
cPanel before 70.0.23 allows local privilege escalation via the WHM Legacy Language File Upload interface (SEC-379).
CVE-2018-20927 (v3: 3.8) 1 Aug 2019
cPanel before 70.0.23 allows jailshell escape because of incorrect crontab parsing (SEC-382).
CVE-2018-20928 (v3: 6.1) 1 Aug 2019
cPanel before 70.0.23 allows stored XSS via the cpaddons vendor interface (SEC-391).
CVE-2018-20929 (v3: 6.1) 1 Aug 2019
cPanel before 70.0.23 allows an open redirect via the /unprotected/redirect.html endpoint (SEC-392).
CVE-2018-20930 (v3: 6.5) 1 Aug 2019
cPanel before 70.0.23 allows .htaccess restrictions bypass when Htaccess Optimization is enabled (SEC-401).
CVE-2018-20931 (v3: 6.3) 1 Aug 2019
cPanel before 70.0.23 allows demo accounts to execute code via the Landing Page (SEC-405).
CVE-2018-20932 (v3: 2.7) 1 Aug 2019
cPanel before 70.0.23 exposes Apache HTTP Server logs after creation of certain domains (SEC-406).
CVE-2018-20933 (v3: 5.4) 1 Aug 2019
cPanel before 70.0.23 has Stored XSS via an WHM Edit DNS Zone action (SEC-410).
CVE-2018-20934 (v3: 6.5) 1 Aug 2019
cPanel before 70.0.23 does not prevent e-mail account suspensions from being applied to unowned accounts (SEC-411).
CVE-2018-20935 (v3: 5.4) 1 Aug 2019
cPanel before 70.0.23 allows stored XSS in via a WHM "Reset a DNS Zone" action (SEC-412).
CVE-2018-20901 (v3: 6.1) 1 Aug 2019
cPanel before 71.9980.37 allows Remote-Stored XSS in WHM Save Theme Interface (SEC-400).
CVE-2018-20902 (v3: 5.5) 1 Aug 2019
cPanel before 71.9980.37 allows attackers to read root's crontab file by leveraging ClamAV installation (SEC-408).
CVE-2018-20903 (v3: 6.1) 1 Aug 2019
cPanel before 71.9980.37 allows self XSS in the WHM Backup Configuration interface (SEC-421).
CVE-2018-20910 (v3: 6.1) 1 Aug 2019
cPanel before 70.0.23 allows self XSS in the WHM cPAddons showsecurity Interface (SEC-357).
CVE-2018-20911 (v3: 7.2) 1 Aug 2019
cPanel before 70.0.23 allows code execution because "." is in @INC during a Perl syntax check of cpaddonsup (SEC-359).
CVE-2018-20912 (v3: 6.3) 1 Aug 2019
cPanel before 70.0.23 allows demo accounts to execute code via awstats (SEC-362).
CVE-2018-20913 (v3: 4.9) 1 Aug 2019
cPanel before 70.0.23 allows attackers to read the root accesshash via the WHM /cgi/trustclustermaster.cgi (SEC-364).
CVE-2018-20914 (v3: 7.3) 1 Aug 2019
In cPanel before 70.0.23, OpenID providers can inject arbitrary data into cPanel session files (SEC-368).
CVE-2018-20915 (v3: 5.4) 1 Aug 2019
cPanel before 70.0.23 allows stored XSS via a WHM Edit DNS Zone action (SEC-369).
CVE-2018-20916 (v3: 5.4) 1 Aug 2019
cPanel before 70.0.23 allows Stored XSS via a WHM Edit MX Entry (SEC-370).
CVE-2018-20917 (v3: 5.5) 1 Aug 2019
cPanel before 70.0.23 allows any user to disable Solr (SEC-371).
CVE-2018-20918 (v3: 6.1) 1 Aug 2019
cPanel before 70.0.23 allows stored XSS in WHM DNS Cluster (SEC-372).
CVE-2018-20919 (v3: 6.1) 1 Aug 2019
cPanel before 70.0.23 allows stored XSS via a WHM Create Account action (SEC-373).
CVE-2018-20920 (v3: 6.1) 1 Aug 2019
cPanel before 70.0.23 allows stored XSS via a WHM Edit DNS Zone action (SEC-374).
CVE-2018-20921 (v3: 6.1) 1 Aug 2019
cPanel before 70.0.23 allows stored XSS via a WHM "Delete a DNS Zone" action (SEC-375).
CVE-2018-20922 (v3: 6.1) 1 Aug 2019
cPanel before 70.0.23 allows stored XSS via a WHM DNS Cleanup action (SEC-376).
CVE-2018-20923 (v3: 6.1) 1 Aug 2019
cPanel before 70.0.23 allows stored XSS via a WHM Synchronize DNS Records action (SEC-377).
CVE-2018-20887 (v3: 9.8) 1 Aug 2019
cPanel before 74.0.0 allows SQL injection during database backups (SEC-420).
CVE-2018-20888 (v3: 5.5) 1 Aug 2019
cPanel before 74.0.0 allows file modification in the context of the root account because of incorrect HTTP authentication (SEC-424).
CVE-2018-20889 (v3: 4.4) 1 Aug 2019
cPanel before 74.0.0 allows certain file-read operations via password file caching (SEC-425).
CVE-2018-20890 (v3: 4.3) 1 Aug 2019
cPanel before 74.0.0 allows arbitrary zone file modifications during record edits (SEC-426).
CVE-2018-20891 (v3: 5.5) 1 Aug 2019
cPanel before 74.0.0 allows arbitrary file-read operations during File Restoration (SEC-436).

2017

CVE-2017-18469 (v3: 6.3) 5 Aug 2019
cPanel before 62.0.17 allows demo accounts to execute code via an NVData_fetchinc API call (SEC-233).
CVE-2017-18471 (v3: 5.4) 5 Aug 2019
cPanel before 62.0.4 allows self XSS on the paper_lantern password-change screen (SEC-197).
CVE-2017-18472 (v3: 6.1) 5 Aug 2019
cPanel before 62.0.4 allows reflected XSS in reset-password interfaces (SEC-198).
CVE-2017-18473 (v3: 5.4) 5 Aug 2019
cPanel before 62.0.4 allows self XSS on the webmail Password and Security page (SEC-199).
CVE-2017-18474 (v3: 6.5) 5 Aug 2019
cPanel before 62.0.4 allows arbitrary file-read operations via Exim valiases (SEC-201).
CVE-2017-18475 (v3: 8.8) 5 Aug 2019
In cPanel before 62.0.4, Exim piped filters ran in the context of an incorrect user account when delivering to a system user (SEC-204).
CVE-2017-18478 (v3: 6.5) 5 Aug 2019
In cPanel before 62.0.4 incorrect ACL checks could occur in xml-api for Rearrange Account actions (SEC-207).
CVE-2017-18479 (v3: 6.5) 5 Aug 2019
In cPanel before 62.0.4, WHM SSL certificate generation uses an unreserved e-mail address (SEC-209).
CVE-2017-18481 (v3: 5.4) 5 Aug 2019
cPanel before 62.0.4 allows stored XSS in the WHM Account Suspension List interface (SEC-211).
CVE-2017-18482 (v3: 6.5) 5 Aug 2019
cPanel before 62.0.4 allows resellers to use the WHM enqueue_transfer_item API for queueing non-rearrange modules (SEC-213).
CVE-2017-18464 (v3: 4.9) 5 Aug 2019
cPanel before 62.0.17 allows arbitrary file-overwrite operations via the WHM Zone Template editor (SEC-226).
CVE-2017-18465 (v3: 4.4) 5 Aug 2019
cPanel before 62.0.17 does not have a sufficient list of reserved usernames (SEC-227).
CVE-2017-18466 (v3: 2.7) 5 Aug 2019
cPanel before 62.0.17 does not properly recognize domain ownership during addition of parked domains to a mail configuration (SEC-228).
CVE-2017-18468 (v3: 6.3) 5 Aug 2019
cPanel before 62.0.17 allows demo accounts to execute code via the Htaccess::setphppreference API (SEC-232).
CVE-2017-18436 (v3: 3.5) 2 Aug 2019
cPanel before 64.0.21 allows demo accounts to read files via a Fileman::getfileactions API2 call (SEC-239).
CVE-2017-18437 (v3: 4.4) 2 Aug 2019
cPanel before 64.0.21 allows a Webmail account to execute code via forwarders (SEC-240).
CVE-2017-18438 (v3: 6.3) 2 Aug 2019
cPanel before 64.0.21 allows demo accounts to execute code via Encoding API calls (SEC-242).
CVE-2017-18439 (v3: 6.3) 2 Aug 2019
cPanel before 64.0.21 allows demo accounts to execute code via an ImageManager_dimensions API call (SEC-243).
CVE-2017-18440 (v3: 4.3) 2 Aug 2019
cPanel before 64.0.21 allows demo users to execute traceroute via api2 (SEC-244).
CVE-2017-18441 (v3: 5) 2 Aug 2019
cPanel before 64.0.21 allows demo accounts to redirect web traffic (SEC-245).
CVE-2017-18442 (v3: 5.3) 2 Aug 2019
cPanel before 64.0.21 allows demo accounts to execute Cpanel::SPFUI API commands (SEC-246).
CVE-2017-18443 (v3: 5.8) 2 Aug 2019
cPanel before 64.0.21 allows demo and suspended accounts to use SSH port forwarding (SEC-247).
CVE-2017-18444 (v3: 5.3) 2 Aug 2019
cPanel before 64.0.21 allows demo accounts to execute SSH API commands (SEC-248).
CVE-2017-18446 (v3: 6.3) 2 Aug 2019
cPanel before 64.0.21 allows file-read and file-write operations for demo accounts via the SourceIPCheck API (SEC-250).
CVE-2017-18447 (v3: 6.3) 2 Aug 2019
cPanel before 64.0.21 allows demo accounts to execute code via the ClamScanner_getsocket API (SEC-251).
CVE-2017-18448 (v3: 5.3) 2 Aug 2019
cPanel before 64.0.21 allows certain file-read operations via a Serverinfo_manpage API call (SEC-252).
CVE-2017-18449 (v3: 5.5) 2 Aug 2019
cPanel before 64.0.21 allows certain file-rename operations in the context of the root account via scripts/convert_roundcube_mysql2sqlite (SEC-254).
CVE-2017-18452 (v3: 6.7) 2 Aug 2019
cPanel before 64.0.21 allows code execution via Rails configuration files (SEC-259).
CVE-2017-18453 (v3: 4.9) 2 Aug 2019
cPanel before 64.0.21 does not preserve supplemental groups across account renames (SEC-260).
CVE-2017-18454 (v3: 5.4) 2 Aug 2019
cPanel before 62.0.24 allows stored XSS in the WHM cPAddons install interface (SEC-262).
CVE-2017-18456 (v3: 6.1) 2 Aug 2019
cPanel before 62.0.17 allows self XSS in the WHM cPAddons showsecurity interface (SEC-217).
CVE-2017-18457 (v3: 4.4) 2 Aug 2019
cPanel before 62.0.17 allows arbitrary file-read operations via WHM /styled/ URLs (SEC-218).
CVE-2017-18458 (v3: 3.3) 2 Aug 2019
cPanel before 62.0.17 allows file overwrite when renaming an account (SEC-219).
CVE-2017-18459 (v3: 7.8) 2 Aug 2019
cPanel before 62.0.17 allows arbitrary code execution during account modification (SEC-220).
CVE-2017-18460 (v3: 7.8) 2 Aug 2019
cPanel before 62.0.17 allows arbitrary code execution during automatic SSL installation (SEC-221).
CVE-2017-18461 (v3: 4.3) 2 Aug 2019
cPanel before 62.0.17 allows does not preserve security policy questions across an account rename (SEC-223).
CVE-2017-18463 (v3: 7.8) 2 Aug 2019
cPanel before 62.0.17 allows code execution in the context of the root account via a long DocumentRoot path (SEC-225).
CVE-2017-18417 (v3: 5.4) 2 Aug 2019
cPanel before 66.0.2 allows stored XSS during WHM cPAddons installation (SEC-263).
CVE-2017-18418 (v3: 5.4) 2 Aug 2019
cPanel before 66.0.2 allows stored XSS during WHM cPAddons file operations (SEC-265).
CVE-2017-18419 (v3: 5.4) 2 Aug 2019
cPanel before 66.0.2 allows stored XSS during WHM cPAddons uninstallation (SEC-266).
CVE-2017-18420 (v3: 5.4) 2 Aug 2019
cPanel before 66.0.2 allows stored XSS during WHM cPAddons processing (SEC-269).
CVE-2017-18421 (v3: 3.3) 2 Aug 2019
cPanel before 66.0.2 allows demo accounts to create databases and users (SEC-271).
CVE-2017-18423 (v3: 3.3) 2 Aug 2019
In cPanel before 66.0.2, domain log files become readable after log processing (SEC-273).
CVE-2017-18424 (v3: 3.3) 2 Aug 2019
In cPanel before 66.0.2, the Apache HTTP Server configuration file is changed to world-readable when rebuilt (SEC-274).
CVE-2017-18426 (v3: 2.7) 2 Aug 2019
cPanel before 66.0.2 allows resellers to read other accounts' domain log files (SEC-288).
CVE-2017-18428 (v3: 2.5) 2 Aug 2019
In cPanel before 66.0.2, Apache HTTP Server domlogs become temporarily world-readable during log processing (SEC-290).
CVE-2017-18430 (v3: 4.7) 2 Aug 2019
In cPanel before 66.0.2, user and group ownership may be incorrectly set when using reassign_post_terminate_cruft (SEC-294).
CVE-2017-18431 (v3: 7.5) 2 Aug 2019
cPanel before 66.0.1 does not reliably perform suspend/unsuspend operations on accounts (CPANEL-13941).
CVE-2017-18432 (v3: 7.8) 2 Aug 2019
In cPanel before 64.0.21, Horde MySQL to SQLite conversion can leak a database password (SEC-234).
CVE-2017-18433 (v3: 8.8) 2 Aug 2019
cPanel before 64.0.21 allows code execution by webmail and demo accounts via a store_filter API call (SEC-236).

2016

CVE-2016-10798 (v3: 6.8) 7 Aug 2019
cPanel before 58.0.4 allows a file-ownership change (to nobody) via rearrangeacct (SEC-134).
CVE-2016-10799 (v3: 5.5) 7 Aug 2019
cPanel before 58.0.4 does not set the Pear tmp directory during a PHP installation (SEC-137).
CVE-2016-10800 (v3: 7.8) 7 Aug 2019
cPanel before 58.0.4 allows demo-mode escape via Site Templates and Boxtrapper API calls (SEC-138).
CVE-2016-10801 (v3: 8.8) 7 Aug 2019
cPanel before 58.0.4 has improper session handling for shared users (SEC-139).
CVE-2016-10802 (v3: 8.8) 7 Aug 2019
cPanel before 58.0.4 allows code execution in the context of other user accounts through the PHP CGI handler (SEC-142).
CVE-2016-10803 (v3: 7.5) 7 Aug 2019
cPanel before 57.9999.105 allows newline injection via LOC records (CPANEL-6923).
CVE-2016-10804 (v3: 8.1) 7 Aug 2019
The SQLite journal feature in cPanel before 57.9999.54 allows arbitrary file-overwrite operations during Horde Restore (SEC-58).
CVE-2016-10805 (v3: 8.8) 7 Aug 2019
cPanel before 57.9999.54 allows demo accounts to execute arbitrary code via ajax_maketext_syntax_util.pl (SEC-109).
CVE-2016-10806 (v3: 5.4) 7 Aug 2019
cPanel before 57.9999.54 allows self XSS on the Paper Lantern Landing Page (SEC-110).
CVE-2016-10807 (v3: 6.5) 7 Aug 2019
cPanel before 57.9999.54 allows certain denial-of-service outcomes via /scripts/killpvhost (SEC-112).
CVE-2016-10808 (v3: 8.8) 7 Aug 2019
In cPanel before 57.9999.54, /scripts/addpop and /scripts/delpop exposed TTYs (SEC-113).
CVE-2016-10809 (v3: 8.8) 7 Aug 2019
In cPanel before 57.9999.54, /scripts/checkinfopages exposed a TTY to an unprivileged process (SEC-114).
CVE-2016-10810 (v3: 8.8) 7 Aug 2019
In cPanel before 57.9999.54, /scripts/maildir_converter exposed a TTY to an unprivileged process (SEC-115).
CVE-2016-10811 (v3: 8.8) 7 Aug 2019
In cPanel before 57.9999.54, /scripts/unsuspendacct exposed TTYs (SEC-116).
CVE-2016-10812 (v3: 8.8) 7 Aug 2019
In cPanel before 57.9999.54, /scripts/enablefileprotect exposed TTYs (SEC-117).
CVE-2016-10792 (v3: 8.8) 6 Aug 2019
cPanel before 59.9999.145 allows code execution in the context of other accounts via mailman list archives (SEC-141).
CVE-2016-10793 (v3: 8.8) 6 Aug 2019
cPanel before 59.9999.145 allows arbitrary code execution due to an incorrect #! in Mail::SPF scripts (SEC-152).
CVE-2016-10794 (v3: 6.5) 6 Aug 2019
cPanel before 59.9999.145 allows arbitrary file-read operations because of a multipart form processing error (SEC-154).
CVE-2016-10795 (v3: 6.1) 6 Aug 2019
cPanel before 59.9999.145 allows stored XSS in the WHM tail_upcp2.cgi interface (SEC-156).
CVE-2016-10797 (v3: 4.3) 6 Aug 2019
cPanel before 58.0.4 allows WHM "Purchase and Install an SSL Certificate" page visitors to list all server domains (SEC-133).
CVE-2016-10776 (v3: 5.4) 6 Aug 2019
cPanel before 60.0.25 allows stored XSS during the homedir removal phase of WHM Account termination (SEC-174).
CVE-2016-10777 (v3: 5.4) 6 Aug 2019
cPanel before 60.0.25 allows self XSS in WHM Tweak Settings for autodiscover_host (SEC-177).
CVE-2016-10778 (v3: 5.4) 6 Aug 2019
cPanel before 60.0.25 allows self stored XSS in the listftpstable API (SEC-178).
CVE-2016-10779 (v3: 5.4) 6 Aug 2019
cPanel before 60.0.25 allows stored XSS in api1_listautoresponders (SEC-179).
CVE-2016-10780 (v3: 5.4) 6 Aug 2019
cPanel before 60.0.25 allows stored XSS in the ftp_sessions API (SEC-180).
CVE-2016-10781 (v3: 5.4) 6 Aug 2019
cPanel before 60.0.25 allows self XSS in the UI_confirm API (SEC-180).
CVE-2016-10782 (v3: 5.4) 6 Aug 2019
cPanel before 60.0.25 allows self stored XSS in postgres API1 listdbs (SEC-181).
CVE-2016-10783 (v3: 5.4) 6 Aug 2019
cPanel before 60.0.25 allows self stored XSS in SSL_listkeys (SEC-182).
CVE-2016-10784 (v3: 5.4) 6 Aug 2019
cPanel before 60.0.25 allows self XSS in the alias upload interface (SEC-184).
CVE-2016-10785 (v3: 6.5) 6 Aug 2019
cPanel before 60.0.25 allows attackers to discover file contents during file copy operations (SEC-185).
CVE-2016-10786 (v3: 6.5) 6 Aug 2019
cPanel before 60.0.25 allows members of the nobody group to read Apache HTTP Server SSL keys (SEC-186).
CVE-2016-10787 (v3: 8.1) 6 Aug 2019
The Host Access Control feature in cPanel before 60.0.25 mishandles actionless host.deny entries (SEC-187).
CVE-2016-10788 (v3: 8.8) 6 Aug 2019
cPanel before 60.0.25 allows arbitrary code execution via Maketext in PostgreSQL adminbin (SEC-188).
CVE-2016-10789 (v3: 8.8) 6 Aug 2019
cPanel before 60.0.25 allows code execution via the cpsrvd 403 error response handler (SEC-191).
CVE-2016-10790 (v3: 7.5) 6 Aug 2019
cPanel before 60.0.25 does not use TLS for HTTP POSTs to listinput.cpanel.net (SEC-192).
CVE-2016-10767 (v3: 5.4) 5 Aug 2019
cPanel before 60.0.25 allows stored XSS in the WHM Repair Mailbox Permissions interface (SEC-159).
CVE-2016-10768 (v3: 6.5) 5 Aug 2019
cPanel before 60.0.25 allows file-overwrite operations during preparation for MySQL upgrades (SEC-161).
CVE-2016-10769 (v3: 6.1) 5 Aug 2019
cPanel before 60.0.25 allows an open redirect via /cgi-sys/FormMail-clone.cgi (SEC-162).
CVE-2016-10770 (v3: 6.5) 5 Aug 2019
cPanel before 60.0.25 allows arbitrary file-overwrite operations during a Roundcube update (SEC-164).
CVE-2016-10771 (v3: 8.1) 5 Aug 2019
cPanel before 60.0.25 allows file-create and file-chmod operations during ModSecurity Audit logfile processing (SEC-165).
CVE-2016-10773 (v3: 8.8) 5 Aug 2019
cPanel before 60.0.25 allows format-string injection in exception-message handling (SEC-171).
CVE-2016-10774 (v3: 5.4) 5 Aug 2019
cPanel before 60.0.25 allows self XSS in the tail_ea4_migration.cgi interface (SEC-172).
CVE-2016-10775 (v3: 6.5) 5 Aug 2019
cPanel before 60.0.25 allows arbitrary file-chown operations via reassign_post_terminate_cruft (SEC-173).
CVE-2016-10813 (v3: 5.4) 1 Aug 2019
cPanel before 57.9999.54 allows self XSS during ftp account creation under addon domains (SEC-118).
CVE-2016-10814 (v3: 8.8) 1 Aug 2019
cPanel before 57.9999.54 allows demo-mode escape via show_template.stor (SEC-119).
CVE-2016-10815 (v3: 6.5) 1 Aug 2019
cPanel before 57.9999.54 allows arbitrary file-read operations for Webmail accounts via Branding APIs (SEC-120).
CVE-2016-10816 (v3: 8.8) 1 Aug 2019
cPanel before 57.9999.54 allows Webmail accounts to execute arbitrary code through forwarders (SEC-121).
CVE-2016-10817 (v3: 9.8) 1 Aug 2019
cPanel before 57.9999.54 allows SQL Injection via the ModSecurity TailWatch log file (SEC-123).
CVE-2016-10819 (v3: 6.5) 1 Aug 2019
In cPanel before 57.9999.54, user log files become world-readable when rotated by cpanellogd (SEC-125).
CVE-2016-10820 (v3: 8.8) 1 Aug 2019
cPanel before 55.9999.141 allows daemons to access their controlling TTYs (SEC-31).

2015

CVE-2015-9291 (v3: 7.5) 1 Aug 2019
cPanel before 11.52.0.13 does not prevent arbitrary file-read operations via get_information_for_applications (CPANEL-1221).

2014

2013

2012

CVE-2012-6449 (v3: 5.4) 10 Feb 2020
The clientconf.html and detailbw.html pages in x3 in cPanel & WHM 11.34.0 (build 8) have a XSS vulnerability.
CVE-2012-6448 (v3: 6.1) 27 Jan 2020
Cross-site Scripting (XSS) in cPanel WebHost Manager (WHM) 11.34.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

2011