Cpanel : Security Vulnerabilities, CVEs, CVSS score between 4 and 4.99
Multiple cross-site scripting (XSS) vulnerabilities in cPanel 9.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to dodelautores.html or (2) handle parameter to addhandle.html.
Max CVSS
4.3
EPSS Score
1.45%
Published
2004-03-24
Updated
2017-07-11
Cross-site scripting (XSS) vulnerability in cPanel 9.1.0 and possibly earlier allows remote attackers to inject arbitrary web script or HTML via the dir parameter in dohtaccess.html.
Max CVSS
4.3
EPSS Score
0.33%
Published
2004-12-31
Updated
2017-07-11
Cross-site scripting (XSS) vulnerability in cPanel 9.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the user parameter in the login page.
Max CVSS
4.3
EPSS Score
0.12%
Published
2005-06-20
Updated
2008-09-05
Cross-site scripting (XSS) vulnerability in the Entropy Chat script in cPanel 10.2.0-R82 and 10.6.0-R137 allows remote attackers to inject arbitrary web script or HTML via a chat message containing Javascript in style attributes in tags such as <b>, which are processed by Internet Explorer.
Max CVSS
4.3
EPSS Score
1.48%
Published
2005-11-05
Updated
2018-10-19
Cross-site scripting (XSS) vulnerability in webmailaging.cgi in cPanel allows remote attackers to inject arbitrary web script or HTML via the numdays parameter.
Max CVSS
4.3
EPSS Score
0.63%
Published
2006-02-04
Updated
2017-07-20
Multiple cross-site scripting (XSS) vulnerabilies in cPanel 10 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to (a) editquota.html or (b) dodelpop.html; (2) showtree parameter to (c) diskusage.html; or the (3) mon, (4) year, (5) target, or (6) domain parameter to (d) stats/detailbw.html.
Max CVSS
4.3
EPSS Score
0.97%
Published
2006-02-07
Updated
2017-07-20
Cross-site scripting (XSS) vulnerability in mime/handle.html in cPanel 10 allows remote attackers to inject arbitrary web script or HTML via the (1) file extension or (2) mime-type.
Max CVSS
4.3
EPSS Score
0.59%
Published
2006-02-07
Updated
2018-10-19
Cross-site scripting (XSS) vulnerability in dowebmailforward.cgi in cPanel allows remote attackers to inject arbitrary web script or HTML via a URL encoded value in the fwd parameter.
Max CVSS
4.3
EPSS Score
0.26%
Published
2006-02-18
Updated
2017-07-20
Multiple cross-site scripting (XSS) vulnerabilities in cPanel 10 allow remote attackers to inject arbitrary web script or HTML via the (1) dir parameter in dohtaccess.html, or the (2) file parameter in (a) editit.html or (b) showfile.html.
Max CVSS
4.3
EPSS Score
0.65%
Published
2006-08-22
Updated
2018-10-17
Multiple cross-site scripting (XSS) vulnerabilities in WebHostManager (WHM) 10.8.0 cPanel 10.9.0 R50 allow remote attackers to inject arbitrary web script or HTML via the (1) theme parameter to scripts/dosetmytheme and the (2) template parameter to scripts2/editzonetemplate.
Max CVSS
4.3
EPSS Score
0.72%
Published
2006-10-26
Updated
2018-10-17
Cross-site scripting (XSS) vulnerability in scripts/passwdmysql in cPanel WebHost Manager (WHM) 11.0.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the password parameter.
Max CVSS
4.3
EPSS Score
0.72%
Published
2007-02-12
Updated
2018-10-16
Cross-site scripting (XSS) vulnerability in Simple CGI Wrapper (scgiwrap) in cPanel before 10.9.1, and 11.x before 11.4.19-R14378, allows remote attackers to inject arbitrary web script or HTML via the URI. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Max CVSS
4.3
EPSS Score
0.25%
Published
2007-06-22
Updated
2017-07-29
Cross-site scripting (XSS) vulnerability in frontend/x/htaccess/changepro.html in cPanel 10.9.1 allows remote attackers to inject arbitrary web script or HTML via the resname parameter.
Max CVSS
4.3
EPSS Score
0.48%
Published
2007-07-26
Updated
2018-10-15
Cross-site scripting (XSS) vulnerability in dohtaccess.html in cPanel before 11.17 build 19417 allows remote attackers to inject arbitrary web script or HTML via the rurl parameter. NOTE: some of these details are obtained from third party information.
Max CVSS
4.3
EPSS Score
0.25%
Published
2008-01-22
Updated
2018-10-15
Cross-site scripting (XSS) vulnerability in frontend/x/manpage.html in cPanel 11.18.3 and 11.21.0-BETA allows remote attackers to inject arbitrary web script or HTML via the query string.
Max CVSS
4.3
EPSS Score
0.20%
Published
2008-03-25
Updated
2018-10-11
Multiple cross-site request forgery (CSRF) vulnerabilities in cPanel, possibly 11.18.3 and 11.19.3, allow remote attackers to (1) execute arbitrary code via the command1 parameter to frontend/x2/cron/editcronsimple.html, and perform various administrative actions via (2) frontend/x2/sql/adddb.html, (3) frontend/x2/sql/adduser.html, and (4) frontend/x2/ftp/doaddftp.html.
Max CVSS
4.3
EPSS Score
0.94%
Published
2008-05-01
Updated
2017-08-08
The WHM interface 11.15.0 for cPanel 11.18 before 11.18.4 and 11.22 before 11.22.3 allows remote attackers to bypass XSS protection and inject arbitrary script or HTML via repeated, improperly-ordered "<" and ">" characters in the (1) issue parameter to scripts2/knowlegebase, (2) user parameter to scripts2/changeip, (3) search parameter to scripts2/listaccts, and other unspecified vectors.
Max CVSS
4.3
EPSS Score
0.60%
Published
2008-05-12
Updated
2018-10-11
Multiple cross-site request forgery (CSRF) vulnerabilities in the WHM interface 11.15.0 for cPanel 11.18 before 11.18.4 and 11.22 before 11.22.3 allow remote attackers to perform unauthorized actions as cPanel administrators via requests to cpanel/whm/webmail and other unspecified vectors.
Max CVSS
4.3
EPSS Score
0.20%
Published
2008-05-12
Updated
2018-10-11
Multiple cross-site scripting (XSS) vulnerabilities in autoinstall4imagesgalleryupgrade.php in the Fantastico De Luxe Module for cPanel allow remote attackers to inject arbitrary web script or HTML via the (1) localapp, (2) updatedir, (3) scriptpath_show, (4) domain_show, (5) thispage, (6) thisapp, and (7) currentversion parameters in an Upgrade action.
Max CVSS
4.3
EPSS Score
0.38%
Published
2009-08-10
Updated
2018-10-11
Cross-site scripting (XSS) vulnerability in frontend/x3/files/fileop.html in cPanel 11.0 through 11.24.7 allows remote attackers to inject arbitrary web script or HTML via the fileop parameter.
Max CVSS
4.3
EPSS Score
0.49%
Published
2010-04-27
Updated
2010-05-04
cPanel before 58.0.4 allows WHM "Purchase and Install an SSL Certificate" page visitors to list all server domains (SEC-133).
Max CVSS
4.3
EPSS Score
0.05%
Published
2019-08-06
Updated
2019-08-13
cPanel before 55.9999.141 allows a POP/IMAP cPHulk bypass via account name munging (SEC-107).
Max CVSS
4.3
EPSS Score
0.05%
Published
2019-08-01
Updated
2019-08-12
cPanel before 68.0.15 allows use of an unreserved e-mail address in DNS zone SOA records (SEC-306).
Max CVSS
4.0
EPSS Score
0.05%
Published
2019-08-02
Updated
2019-08-06
cPanel before 68.0.15 does not block a username of postmaster, which might allow reception of private e-mail (SEC-326).
Max CVSS
4.0
EPSS Score
0.05%
Published
2019-08-02
Updated
2019-08-13
cPanel before 68.0.15 does not have a sufficient list of reserved usernames (SEC-327).
Max CVSS
4.0
EPSS Score
0.05%
Published
2019-08-02
Updated
2019-08-13