Cpanel : Security Vulnerabilities, CVEs, CVSS score between 6 and 6.99
Cross-site scripting (XSS) vulnerability in cPanel 6.4.2 allows remote attackers to insert arbitrary HTML and possibly gain cPanel administrator privileges via script in a URL that is logged but not properly quoted when displayed via the (1) Error Log or (2) Latest Visitors screens.
Max CVSS
6.8
EPSS Score
1.77%
Published
2003-08-18
Updated
2016-10-18
Multiple cross-site scripting (XSS) vulnerabilities in cPanel WebHost Manager (WHM) 3.1.0 allow remote authenticated users to inject arbitrary web script or HTML via the (1) email parameter to (a) scripts2/dochangeemail, the (2) supporturl parameter to (b) cgi/addon_configsupport.cgi, the (3) pkg parameter to (c) scripts/editpkg, the (4) domain parameter to (d) scripts2/domts2 and (e) scripts/editzone, the (5) feature parameter to (g) scripts2/dofeaturemanager, and the (6) ndomain parameter to (h) scripts/park.
Max CVSS
6.0
EPSS Score
0.64%
Published
2006-12-01
Updated
2018-10-17
Cross-site scripting (XSS) vulnerability in mail/manage.html in BoxTrapper in cPanel 11 allows remote attackers to inject arbitrary web script or HTML via the account parameter.
Max CVSS
6.8
EPSS Score
5.12%
Published
2006-12-14
Updated
2018-10-17
Cross-site Scripting (XSS) in cPanel WebHost Manager (WHM) 11.34.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Max CVSS
6.1
EPSS Score
0.11%
Published
2020-01-27
Updated
2020-01-29
cPanel before 60.0.25 allows file-overwrite operations during preparation for MySQL upgrades (SEC-161).
Max CVSS
6.5
EPSS Score
0.05%
Published
2019-08-05
Updated
2019-08-08
cPanel before 60.0.25 allows an open redirect via /cgi-sys/FormMail-clone.cgi (SEC-162).
Max CVSS
6.1
EPSS Score
0.08%
Published
2019-08-05
Updated
2019-08-08
cPanel before 60.0.25 allows arbitrary file-overwrite operations during a Roundcube update (SEC-164).
Max CVSS
6.5
EPSS Score
0.05%
Published
2019-08-05
Updated
2019-08-09
cPanel before 60.0.25 allows arbitrary file-chown operations via reassign_post_terminate_cruft (SEC-173).
Max CVSS
6.8
EPSS Score
0.06%
Published
2019-08-05
Updated
2019-08-12
cPanel before 60.0.25 allows attackers to discover file contents during file copy operations (SEC-185).
Max CVSS
6.5
EPSS Score
0.07%
Published
2019-08-06
Updated
2019-08-08
cPanel before 60.0.25 allows members of the nobody group to read Apache HTTP Server SSL keys (SEC-186).
Max CVSS
6.5
EPSS Score
0.07%
Published
2019-08-06
Updated
2019-08-09
cPanel before 59.9999.145 allows arbitrary file-read operations because of a multipart form processing error (SEC-154).
Max CVSS
6.5
EPSS Score
0.07%
Published
2019-08-06
Updated
2019-08-13
cPanel before 59.9999.145 allows stored XSS in the WHM tail_upcp2.cgi interface (SEC-156).
Max CVSS
6.1
EPSS Score
0.08%
Published
2019-08-06
Updated
2019-08-12
cPanel before 58.0.4 allows a file-ownership change (to nobody) via rearrangeacct (SEC-134).
Max CVSS
6.8
EPSS Score
0.07%
Published
2019-08-07
Updated
2019-08-13
cPanel before 57.9999.54 allows certain denial-of-service outcomes via /scripts/killpvhost (SEC-112).
Max CVSS
6.5
EPSS Score
0.08%
Published
2019-08-07
Updated
2019-08-09
cPanel before 57.9999.54 allows arbitrary file-read operations for Webmail accounts via Branding APIs (SEC-120).
Max CVSS
6.5
EPSS Score
0.07%
Published
2019-08-01
Updated
2019-08-06
cPanel before 57.9999.54 incorrectly sets log-file permissions in dnsadmin-startup and spamd-startup (SEC-124).
Max CVSS
6.5
EPSS Score
0.07%
Published
2019-08-01
Updated
2019-08-06
In cPanel before 57.9999.54, user log files become world-readable when rotated by cpanellogd (SEC-125).
Max CVSS
6.5
EPSS Score
0.07%
Published
2019-08-01
Updated
2019-08-06
In cPanel before 55.9999.141, Scripts/addpop reveals a command-line password in a process list (SEC-75).
Max CVSS
6.5
EPSS Score
0.07%
Published
2019-08-01
Updated
2019-08-06
cPanel before 55.9999.141 allows arbitrary file-read operations because of a multipart form processing error (SEC-99).
Max CVSS
6.8
EPSS Score
0.07%
Published
2019-08-01
Updated
2019-08-12
cPanel before 55.9999.141 allows FTP cPHulk bypass via account name munging (SEC-102).
Max CVSS
6.5
EPSS Score
0.07%
Published
2019-08-01
Updated
2019-08-12
cPanel before 55.9999.141 allows arbitrary file-read operations during authentication with caldav (SEC-108).
Max CVSS
6.5
EPSS Score
0.07%
Published
2019-08-01
Updated
2019-08-13
cPanel before 11.54.0.4 allows arbitrary file-read operations via the bin/fmq script (SEC-70).
Max CVSS
6.8
EPSS Score
0.07%
Published
2019-08-01
Updated
2019-08-13
cPanel before 11.54.0.4 allows certain file-read operations in bin/setup_global_spam_filter.pl (SEC-74).
Max CVSS
6.5
EPSS Score
0.06%
Published
2019-08-01
Updated
2019-08-12
The chcpass script in cPanel before 11.54.0.4 reveals a password hash (SEC-77).
Max CVSS
6.5
EPSS Score
0.07%
Published
2019-08-01
Updated
2019-08-08
cPanel before 11.54.0.4 allows certain file-chmod operations in scripts/secureit (SEC-82).
Max CVSS
6.5
EPSS Score
0.05%
Published
2019-08-01
Updated
2019-08-09