Cpanel : Security Vulnerabilities, CVEs, Published In 2019 CVSS score >= 6

cPanel before 82.0.15 allows self XSS in the WHM Update Preferences interface (SEC-528).

cPanel before 82.0.15 allows self stored XSS in the WHM SSL Storage Manager interface (SEC-527).

cPanel before 82.0.15 allows self XSS in the SSL Key Delete interface (SEC-526).

cPanel before 82.0.15 allows self XSS in LiveAPI example scripts (SEC-524).

cPanel before 82.0.15 allows self XSS in the SSL Certificate Upload interface (SEC-521).

cPanel before 82.0.15 allows API token credentials to persist after an account has been renamed or terminated (SEC-517).

cPanel before 78.0.18 has stored XSS in the BoxTrapper Queue Listing (SEC-493).

cPanel before 78.0.18 allows demo accounts to execute code via securitypolicy.cg (SEC-487).

cPanel before 78.0.18 allows code execution via an addforward API1 call (SEC-480).

cPanel before 78.0.18 allows local users to escalate to root access because of userdata cache misparsing (SEC-479).

The SSL certificate-storage feature in cPanel before 78.0.18 allows unsafe file operations in the context of the root account (SEC-477).

cPanel before 80.0.5 allows demo accounts to execute arbitrary code via ajax_maketext_syntax_util.pl (SEC-498).

cPanel before 80.0.22 allows remote code execution by a demo account because of incorrect URI dispatching (SEC-501).

cPanel before 82.0.2 allows local users to discover the MySQL root password (SEC-510).

cPanel before 82.0.2 allows unauthenticated file creation because Exim log parsing is mishandled (SEC-507).

cPanel before 82.0.2 has Self XSS in the cPanel and webmail master templates (SEC-506).

cPanel before 68.0.27 allows self XSS in the WHM listips interface (SEC-389).

cPanel before 68.0.27 creates world-readable files during use of WHM Apache Includes Editor (SEC-388).

cPanel before 68.0.27 allows self XSS in WHM Spamd Startup Config (SEC-387).

cPanel before 68.0.27 allows self stored XSS in WHM Account Transfer (SEC-386).

cPanel before 68.0.27 allows self XSS in WHM Apache Configuration Include Editor (SEC-385).

cPanel before 68.0.27 allows self XSS in cPanel Backup Restoration (SEC-383).

bin/csvprocess in cPanel before 68.0.27 allows insecure file operations (SEC-354).

cPanel before 70.0.23 does not prevent e-mail account suspensions from being applied to unowned accounts (SEC-411).

cPanel before 70.0.23 allows demo accounts to execute code via the Landing Page (SEC-405).