Cpanel : Security Vulnerabilities, CVEs, CVSS score between 5 and 5.99

In cPanel before 96.0.8, weak permissions on web stats can lead to information disclosure (SEC-584).

cPanel before 86.0.14 allows remote attackers to trigger a bandwidth suspension via mail log strings (SEC-505).

cPanel before 84.0.20 allows attackers to bypass intended restrictions on features and demo accounts via WebDisk UAPI calls (SEC-541).

cPanel before 82.0.18 allows stored XSS via WHM Backup Restoration (SEC-533).

cPanel before 82.0.18 allows attackers to conduct arbitrary chown operations as root during log processing (SEC-532).

cPanel before 82.0.18 allows attackers to leverage virtual mail accounts in order to bypass account suspensions (SEC-508).

cPanel before 78.0.2 does not properly restrict demo accounts from writing to files via the DCV UAPI (SEC-473).

cPanel before 78.0.2 allows arbitrary file-read operations via Passenger adminbin (SEC-466).

cPanel before 78.0.18 allows certain file-read operations in the context of the root account via the Exim virtual_user_spam router (SEC-484).

cPanel before 80.0.5 allows demo accounts to modify arbitrary files via the extractfile API1 call (SEC-496).

cPanel before 80.0.5 allows unsafe file operations in the context of the root account via the fetch_ssl_certificates_for_fqdns API (SEC-489).

cPanel before 80.0.5 allows local code execution in the context of a different cPanel account because of insecure cpphp execution (SEC-486).

cPanel before 82.0.2 has stored XSS in the WHM Modify Account interface (SEC-512).

cPanel before 82.0.2 has stored XSS in the WHM Tomcat Manager interface (SEC-504).

cPanel before 68.0.27 allows certain file-write operations via the telnetcrt script (SEC-356).

cPanel before 68.0.27 allows arbitrary file-read operations via restore adminbin (SEC-349).

cPanel before 70.0.23 allows stored XSS in via a WHM "Reset a DNS Zone" action (SEC-412).

cPanel before 70.0.23 has Stored XSS via an WHM Edit DNS Zone action (SEC-410).

cPanel before 70.0.23 allows any user to disable Solr (SEC-371).

cPanel before 70.0.23 allows Stored XSS via a WHM Edit MX Entry (SEC-370).

cPanel before 70.0.23 allows stored XSS via a WHM Edit DNS Zone action (SEC-369).

cPanel before 71.9980.37 allows arbitrary file-read operations during pkgacct custom template handling (SEC-435).

cPanel before 71.9980.37 allows attackers to make API calls that bypass the backup feature restriction (SEC-429).

cPanel before 71.9980.37 allows attackers to read root's crontab file by leveraging ClamAV installation (SEC-408).

cPanel before 74.0.0 allows arbitrary file-read operations during File Restoration (SEC-436).