Cpanel ≫ Cpanel

cPanel before 82.0.2 has stored XSS in the WHM Tomcat Manager interface (SEC-504).

cPanel before 82.0.2 has Self XSS in the cPanel and webmail master templates (SEC-506).

cPanel before 82.0.2 allows unauthenticated file creation because Exim log parsing is mishandled (SEC-507).

cPanel before 82.0.2 allows local users to discover the MySQL root password (SEC-510).

cPanel before 82.0.2 has stored XSS in the WHM Modify Account interface (SEC-512).

cPanel before 82.0.2 does not properly enforce Reseller package creation ACLs (SEC-514).

cPanel through 74 allows XSS via a crafted filename in the logs subdirectory of a user account, because the filename is mishandled during frontend/THEME/raw/index.html rendering.

Open redirect vulnerability in cgiemail and cgiecho allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the (1) success or (2) failure parameter.

Cross-site scripting (XSS) vulnerability in frontend/x3/files/fileop.html in cPanel 11.0 through 11.24.7 allows remote attackers to inject arbitrary web script or HTML via the fileop parameter.

Absolute path traversal vulnerability in the Disk Usage module (frontend/x/diskusage/index.html) in cPanel 11.18.3 allows remote attackers to list arbitrary directories via the showtree parameter.