Cpanel ≫ Cpanel

cPanel before 80.0.5 allows demo accounts to modify arbitrary files via the extractfile API1 call (SEC-496).

cPanel before 80.0.5 allows demo accounts to execute arbitrary code via ajax_maketext_syntax_util.pl (SEC-498).

The SSL certificate-storage feature in cPanel before 78.0.18 allows unsafe file operations in the context of the root account (SEC-477).

cPanel before 78.0.18 allows local users to escalate to root access because of userdata cache misparsing (SEC-479).

cPanel before 78.0.18 allows code execution via an addforward API1 call (SEC-480).

cPanel before 78.0.18 unsafely determines terminal capabilities by using infocmp (SEC-481).

cPanel before 78.0.18 offers an open mail relay because of incorrect domain-redirect routing (SEC-483).

cPanel before 78.0.18 allows certain file-read operations in the context of the root account via the Exim virtual_user_spam router (SEC-484).

cPanel before 78.0.18 allows demo accounts to execute code via securitypolicy.cg (SEC-487).

cPanel before 78.0.18 has stored XSS in the BoxTrapper Queue Listing (SEC-493).