Cpanel : Security Vulnerabilities, CVEs, CVSS score between 5 and 7.99
bin/csvprocess in cPanel before 68.0.27 allows insecure file operations (SEC-354).
Max CVSS
7.9
EPSS Score
0.05%
Published
2019-08-01
Updated
2019-08-13
Simple CGI Wrapper (scgiwrap) in cPanel before 10.9.1, and 11.x before 11.4.19-R14378, allows remote attackers to obtain sensitive information via a direct request, which reveals the path in an error message. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Max CVSS
7.8
EPSS Score
0.61%
Published
2007-06-22
Updated
2017-07-29
cPanel before 58.0.4 allows demo-mode escape via Site Templates and Boxtrapper API calls (SEC-138).
Max CVSS
7.8
EPSS Score
0.06%
Published
2019-08-07
Updated
2019-08-12
Format string vulnerability in cgiemail and cgiecho allows remote attackers to execute arbitrary code via format string specifiers in a template file.
Max CVSS
7.8
EPSS Score
1.80%
Published
2017-03-03
Updated
2017-03-07
cPanel before 68.0.15 writes home-directory backups to an incorrect location (SEC-309).
Max CVSS
7.8
EPSS Score
0.04%
Published
2019-08-02
Updated
2019-08-06
cPanel before 68.0.15 can perform unsafe file operations because Jailshell does not set the umask (SEC-315).
Max CVSS
7.8
EPSS Score
0.04%
Published
2019-08-02
Updated
2019-08-09
cPanel before 68.0.15 allows code execution in the context of the root account because of weak permissions on incremental backups (SEC-322).
Max CVSS
7.8
EPSS Score
0.04%
Published
2019-08-02
Updated
2019-08-08
cPanel before 68.0.15 allows local root code execution via cpdavd (SEC-333).
Max CVSS
7.8
EPSS Score
0.04%
Published
2019-08-02
Updated
2019-08-13
In cPanel before 67.9999.103, the backup system overwrites root's home directory when a mount disappears (SEC-299).
Max CVSS
7.8
EPSS Score
0.04%
Published
2019-08-02
Updated
2019-08-12
cPanel before 67.9999.103 allows code execution in the context of the mailman account because of incorrect environment-variable filtering (SEC-302).
Max CVSS
7.8
EPSS Score
0.04%
Published
2019-08-02
Updated
2019-08-12
In cPanel before 64.0.21, Horde MySQL to SQLite conversion can leak a database password (SEC-234).
Max CVSS
7.8
EPSS Score
0.04%
Published
2019-08-02
Updated
2019-08-12
cPanel before 64.0.21 allows code execution in the context of the root account via a SET_VHOST_LANG_PACKAGE multilang adminbin call (SEC-237).
Max CVSS
7.8
EPSS Score
0.04%
Published
2019-08-02
Updated
2019-08-09
cPanel before 62.0.17 allows arbitrary code execution during account modification (SEC-220).
Max CVSS
7.8
EPSS Score
0.04%
Published
2019-08-02
Updated
2019-08-07
cPanel before 62.0.17 allows arbitrary code execution during automatic SSL installation (SEC-221).
Max CVSS
7.8
EPSS Score
0.04%
Published
2019-08-02
Updated
2019-08-07
cPanel before 62.0.17 allows code execution in the context of the root account via a long DocumentRoot path (SEC-225).
Max CVSS
7.8
EPSS Score
0.04%
Published
2019-08-02
Updated
2019-08-06
cPanel before 76.0.8 unsafely performs PostgreSQL password changes (SEC-366).
Max CVSS
7.8
EPSS Score
0.04%
Published
2019-07-30
Updated
2020-08-24
cPanel before 76.0.8 allows arbitrary code execution in the context of the root account via dnssec adminbin (SEC-465).
Max CVSS
7.8
EPSS Score
0.04%
Published
2019-07-30
Updated
2019-07-31
cPanel before 82.0.2 allows local users to discover the MySQL root password (SEC-510).
Max CVSS
7.8
EPSS Score
0.04%
Published
2019-07-30
Updated
2020-08-24
cPanel before 78.0.18 allows local users to escalate to root access because of userdata cache misparsing (SEC-479).
Max CVSS
7.8
EPSS Score
0.05%
Published
2019-07-30
Updated
2020-08-24
Remote file inclusion vulnerability in scripts2/objcache in cPanel WebHost Manager (WHM) allows remote attackers to execute arbitrary code via a URL in the obj parameter. NOTE: a third party claims that this issue is not file inclusion because the contents are not parsed, but the attack can be used to overwrite files in /var/cpanel/objcache or provide unexpected web page contents.
Max CVSS
7.5
EPSS Score
4.48%
Published
2007-02-08
Updated
2018-10-16
cPanel before 11.52.0.13 does not prevent arbitrary file-read operations via get_information_for_applications (CPANEL-1221).
Max CVSS
7.5
EPSS Score
0.17%
Published
2019-08-01
Updated
2019-08-07
cPanel before 60.0.25 does not use TLS for HTTP POSTs to listinput.cpanel.net (SEC-192).
Max CVSS
7.5
EPSS Score
0.17%
Published
2019-08-06
Updated
2019-08-12
cPanel before 57.9999.105 allows newline injection via LOC records (CPANEL-6923).
Max CVSS
7.5
EPSS Score
0.07%
Published
2019-08-07
Updated
2019-08-12
cPanel before 55.9999.141 mishandles username-based blocking for PRE requests in cPHulkd (SEC-104).
Max CVSS
7.5
EPSS Score
0.17%
Published
2019-08-01
Updated
2019-08-12
cPanel before 67.9999.103 allows SQL injection during eximstats processing (SEC-276).
Max CVSS
7.5
EPSS Score
0.07%
Published
2019-08-02
Updated
2019-08-12