CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Cpanel : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
301 CVE-2016-10792 284 Exec Code 2019-08-06 2019-08-13
6.5
None Remote Low Single system Partial Partial Partial
cPanel before 59.9999.145 allows code execution in the context of other accounts via mailman list archives (SEC-141).
302 CVE-2016-10791 255 2019-08-06 2019-08-13
5.0
None Remote Low Not required None Partial None
cPanel before 60.0.15 does not ensure that system accounts lack a valid password, so that logins are impossible (CPANEL-9559).
303 CVE-2016-10790 200 +Info 2019-08-06 2019-08-12
5.0
None Remote Low Not required Partial None None
cPanel before 60.0.25 does not use TLS for HTTP POSTs to listinput.cpanel.net (SEC-192).
304 CVE-2016-10789 20 Exec Code 2019-08-06 2019-08-09
6.5
None Remote Low Single system Partial Partial Partial
cPanel before 60.0.25 allows code execution via the cpsrvd 403 error response handler (SEC-191).
305 CVE-2016-10788 20 Exec Code 2019-08-06 2019-08-09
9.0
None Remote Low Single system Complete Complete Complete
cPanel before 60.0.25 allows arbitrary code execution via Maketext in PostgreSQL adminbin (SEC-188).
306 CVE-2016-10787 20 2019-08-06 2019-08-09
5.5
None Remote Low Single system Partial Partial None
The Host Access Control feature in cPanel before 60.0.25 mishandles actionless host.deny entries (SEC-187).
307 CVE-2016-10786 200 +Info 2019-08-06 2019-08-09
4.0
None Remote Low Single system Partial None None
cPanel before 60.0.25 allows members of the nobody group to read Apache HTTP Server SSL keys (SEC-186).
308 CVE-2016-10785 200 +Info 2019-08-06 2019-08-08
4.0
None Remote Low Single system Partial None None
cPanel before 60.0.25 allows attackers to discover file contents during file copy operations (SEC-185).
309 CVE-2016-10784 79 XSS 2019-08-06 2019-08-08
3.5
None Remote Medium Single system None Partial None
cPanel before 60.0.25 allows self XSS in the alias upload interface (SEC-184).
310 CVE-2016-10783 79 XSS 2019-08-06 2019-08-08
3.5
None Remote Medium Single system None Partial None
cPanel before 60.0.25 allows self stored XSS in SSL_listkeys (SEC-182).
311 CVE-2016-10782 79 XSS 2019-08-06 2019-08-08
3.5
None Remote Medium Single system None Partial None
cPanel before 60.0.25 allows self stored XSS in postgres API1 listdbs (SEC-181).
312 CVE-2016-10781 79 XSS 2019-08-06 2019-08-08
3.5
None Remote Medium Single system None Partial None
cPanel before 60.0.25 allows self XSS in the UI_confirm API (SEC-180).
313 CVE-2016-10780 79 XSS 2019-08-06 2019-08-08
3.5
None Remote Medium Single system None Partial None
cPanel before 60.0.25 allows stored XSS in the ftp_sessions API (SEC-180).
314 CVE-2016-10779 79 XSS 2019-08-06 2019-08-09
3.5
None Remote Medium Single system None Partial None
cPanel before 60.0.25 allows stored XSS in api1_listautoresponders (SEC-179).
315 CVE-2016-10778 79 XSS 2019-08-06 2019-08-08
3.5
None Remote Medium Single system None Partial None
cPanel before 60.0.25 allows self stored XSS in the listftpstable API (SEC-178).
316 CVE-2016-10777 79 XSS 2019-08-06 2019-08-08
3.5
None Remote Medium Single system None Partial None
cPanel before 60.0.25 allows self XSS in WHM Tweak Settings for autodiscover_host (SEC-177).
317 CVE-2016-10776 79 XSS 2019-08-06 2019-08-08
3.5
None Remote Medium Single system None Partial None
cPanel before 60.0.25 allows stored XSS during the homedir removal phase of WHM Account termination (SEC-174).
318 CVE-2016-10775 20 2019-08-05 2019-08-12
6.8
None Remote Low Single system Complete None None
cPanel before 60.0.25 allows arbitrary file-chown operations via reassign_post_terminate_cruft (SEC-173).
319 CVE-2016-10774 79 XSS 2019-08-05 2019-08-09
3.5
None Remote Medium Single system None Partial None
cPanel before 60.0.25 allows self XSS in the tail_ea4_migration.cgi interface (SEC-172).
320 CVE-2016-10773 134 2019-08-05 2019-08-09
6.5
None Remote Low Single system Partial Partial Partial
cPanel before 60.0.25 allows format-string injection in exception-message handling (SEC-171).
321 CVE-2016-10772 254 2019-08-05 2019-08-09
2.1
None Local Low Not required None Partial None
cPanel before 60.0.25 does not enforce feature-list restrictions when calling the multilang adminbin (SEC-168).
322 CVE-2016-10771 20 2019-08-05 2019-08-09
5.5
None Remote Low Single system Partial Partial None
cPanel before 60.0.25 allows file-create and file-chmod operations during ModSecurity Audit logfile processing (SEC-165).
323 CVE-2016-10770 20 2019-08-05 2019-08-09
5.5
None Remote Low Single system None Partial Partial
cPanel before 60.0.25 allows arbitrary file-overwrite operations during a Roundcube update (SEC-164).
324 CVE-2016-10769 601 2019-08-05 2019-08-08
5.8
None Remote Medium Not required Partial Partial None
cPanel before 60.0.25 allows an open redirect via /cgi-sys/FormMail-clone.cgi (SEC-162).
325 CVE-2016-10768 20 2019-08-05 2019-08-08
5.5
None Remote Low Single system None Partial Partial
cPanel before 60.0.25 allows file-overwrite operations during preparation for MySQL upgrades (SEC-161).
326 CVE-2016-10767 79 XSS 2019-08-05 2019-08-09
3.5
None Remote Medium Single system None Partial None
cPanel before 60.0.25 allows stored XSS in the WHM Repair Mailbox Permissions interface (SEC-159).
327 CVE-2015-9291 284 2019-08-01 2019-08-07
5.0
None Remote Low Not required Partial None None
cPanel before 11.52.0.13 does not prevent arbitrary file-read operations via get_information_for_applications (CPANEL-1221).
328 CVE-2009-4823 79 1 XSS 2010-04-27 2010-05-04
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in frontend/x3/files/fileop.html in cPanel 11.0 through 11.24.7 allows remote attackers to inject arbitrary web script or HTML via the fileop parameter.
329 CVE-2009-2275 22 1 Dir. Trav. 2009-07-01 2017-09-18
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in frontend/x3/stats/lastvisit.html in cPanel allows remote attackers to read arbitrary files via a .. (dot dot) in the domain parameter.
330 CVE-2008-7142 22 Dir. Trav. 2009-09-01 2018-10-11
5.0
None Remote Low Not required Partial None None
Absolute path traversal vulnerability in the Disk Usage module (frontend/x/diskusage/index.html) in cPanel 11.18.3 allows remote attackers to list arbitrary directories via the showtree parameter.
331 CVE-2008-6927 79 XSS 2009-08-10 2018-10-11
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in autoinstall4imagesgalleryupgrade.php in the Fantastico De Luxe Module for cPanel allow remote attackers to inject arbitrary web script or HTML via the (1) localapp, (2) updatedir, (3) scriptpath_show, (4) domain_show, (5) thispage, (6) thisapp, and (7) currentversion parameters in an Upgrade action.
332 CVE-2008-6843 22 Dir. Trav. 2009-07-02 2018-10-11
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in index.php in Fantastico, as used with cPanel 11.x, allows remote attackers to read arbitrary files via a .. (dot dot) in the sup3r parameter.
333 CVE-2008-2478 94 Exec Code 2008-05-28 2018-10-11
8.5
Admin Remote Medium Single system Complete Complete Complete
** DISPUTED ** scripts/wwwacct in cPanel 11.18.6 STABLE and earlier and 11.23.1 CURRENT and earlier allows remote authenticated users with reseller privileges to execute arbitrary code via shell metacharacters in the Email address field (aka Email text box). NOTE: the vendor disputes this, stating "I'm unable to reproduce such an issue on multiple servers running different versions of cPanel."
334 CVE-2008-2071 352 CSRF 2008-05-12 2018-10-11
4.3
None Remote Medium Not required None Partial None
Multiple cross-site request forgery (CSRF) vulnerabilities in the WHM interface 11.15.0 for cPanel 11.18 before 11.18.4 and 11.22 before 11.22.3 allow remote attackers to perform unauthorized actions as cPanel administrators via requests to cpanel/whm/webmail and other unspecified vectors.
335 CVE-2008-2070 79 XSS Bypass 2008-05-12 2018-10-11
4.3
None Remote Medium Not required None Partial None
The WHM interface 11.15.0 for cPanel 11.18 before 11.18.4 and 11.22 before 11.22.3 allows remote attackers to bypass XSS protection and inject arbitrary script or HTML via repeated, improperly-ordered "<" and ">" characters in the (1) issue parameter to scripts2/knowlegebase, (2) user parameter to scripts2/changeip, (3) search parameter to scripts2/listaccts, and other unspecified vectors.
336 CVE-2008-2043 352 Exec Code CSRF 2008-05-01 2017-08-07
4.3
None Remote Medium Not required None Partial None
Multiple cross-site request forgery (CSRF) vulnerabilities in cPanel, possibly 11.18.3 and 11.19.3, allow remote attackers to (1) execute arbitrary code via the command1 parameter to frontend/x2/cron/editcronsimple.html, and perform various administrative actions via (2) frontend/x2/sql/adddb.html, (3) frontend/x2/sql/adduser.html, and (4) frontend/x2/ftp/doaddftp.html.
337 CVE-2008-1499 79 XSS 2008-03-25 2018-10-11
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in frontend/x/manpage.html in cPanel 11.18.3 and 11.21.0-BETA allows remote attackers to inject arbitrary web script or HTML via the query string.
338 CVE-2008-0370 79 XSS 2008-01-22 2018-10-15
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in dohtaccess.html in cPanel before 11.17 build 19417 allows remote attackers to inject arbitrary web script or HTML via the rurl parameter. NOTE: some of these details are obtained from third party information.
339 CVE-2007-4022 XSS 2007-07-26 2018-10-15
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in frontend/x/htaccess/changepro.html in cPanel 10.9.1 allows remote attackers to inject arbitrary web script or HTML via the resname parameter.
340 CVE-2007-3367 +Info 2007-06-22 2017-07-28
7.8
None Remote Low Not required Complete None None
Simple CGI Wrapper (scgiwrap) in cPanel before 10.9.1, and 11.x before 11.4.19-R14378, allows remote attackers to obtain sensitive information via a direct request, which reveals the path in an error message. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
341 CVE-2007-3366 XSS 2007-06-22 2017-07-28
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Simple CGI Wrapper (scgiwrap) in cPanel before 10.9.1, and 11.x before 11.4.19-R14378, allows remote attackers to inject arbitrary web script or HTML via the URI. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
342 CVE-2007-0890 XSS 2007-02-12 2018-10-16
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in scripts/passwdmysql in cPanel WebHost Manager (WHM) 11.0.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the password parameter.
343 CVE-2007-0854 94 Exec Code File Inclusion 2007-02-08 2018-10-16
7.5
User Remote Low Not required Partial Partial Partial
Remote file inclusion vulnerability in scripts2/objcache in cPanel WebHost Manager (WHM) allows remote attackers to execute arbitrary code via a URL in the obj parameter. NOTE: a third party claims that this issue is not file inclusion because the contents are not parsed, but the attack can be used to overwrite files in /var/cpanel/objcache or provide unexpected web page contents.
344 CVE-2006-6548 XSS 2006-12-14 2018-10-17
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in cPanel WebHost Manager (WHM) 3.1.0 allow remote authenticated users to inject arbitrary web script or HTML via the domain parameter to (1) scripts2/changeemail, (2) scripts2/limitbw, or (3) scripts/rearrangeacct. NOTE: the feature parameter to scripts2/dofeaturemanager is already covered by CVE-2006-6198.
345 CVE-2006-6523 XSS 2006-12-13 2018-10-17
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in mail/manage.html in BoxTrapper in cPanel 11 allows remote attackers to inject arbitrary web script or HTML via the account parameter.
346 CVE-2006-6198 XSS 2006-11-30 2018-10-17
6.0
User Remote Medium Single system Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in cPanel WebHost Manager (WHM) 3.1.0 allow remote authenticated users to inject arbitrary web script or HTML via the (1) email parameter to (a) scripts2/dochangeemail, the (2) supporturl parameter to (b) cgi/addon_configsupport.cgi, the (3) pkg parameter to (c) scripts/editpkg, the (4) domain parameter to (d) scripts2/domts2 and (e) scripts/editzone, the (5) feature parameter to (g) scripts2/dofeaturemanager, and the (6) ndomain parameter to (h) scripts/park.
347 CVE-2006-5883 XSS 2006-11-14 2018-10-17
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in cPanel 10 allow remote authenticated users to inject arbitrary web script or HTML via the (1) dir parameter in (a) seldir.html, and the (2) user and (3) dir parameters in (b) newuser.html.
348 CVE-2006-5535 XSS 2006-10-26 2018-10-17
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in WebHostManager (WHM) 10.8.0 cPanel 10.9.0 R50 allow remote attackers to inject arbitrary web script or HTML via the (1) theme parameter to scripts/dosetmytheme and the (2) template parameter to scripts2/editzonetemplate.
349 CVE-2006-5014 +Priv 2006-09-26 2008-09-05
9.0
Admin Remote Low Single system Complete Complete Complete
Unspecified vulnerability in cPanel before 10.9.0 12 Tree allows remote authenticated users to gain privileges via unspecified vectors in (1) mysqladmin and (2) hooksadmin.
350 CVE-2006-4293 XSS 2006-08-22 2018-10-17
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in cPanel 10 allow remote attackers to inject arbitrary web script or HTML via the (1) dir parameter in dohtaccess.html, or the (2) file parameter in (a) editit.html or (b) showfile.html.
Total number of vulnerabilities : 369   Page : 1 2 3 4 5 6 7 (This Page)8
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.