Cpanel : Security Vulnerabilities, CVEs,

guestbook.cgi in cPanel 5.0 allows remote attackers to execute arbitrary commands via the template parameter.

The "Allow cPanel users to reset their password via email" feature in cPanel 9.1.0 build 34 and earlier, including 8.x, allows remote attackers to execute arbitrary code via the user parameter to resetpass.

The login page for cPanel 9.1.0, and possibly other versions, allows remote attackers to execute arbitrary code via shell metacharacters in the user parameter.

cPanel before 57.9999.54 allows SQL Injection via the ModSecurity TailWatch log file (SEC-123).

cPanel before 11.54.0.4 allows unauthenticated arbitrary code execution via cpsrvd (SEC-91).

cPanel before 55.9999.141 allows unauthenticated arbitrary code execution via DNS NS entry poisoning (SEC-90).

cPanel before 11.54.0.0 allows unauthenticated arbitrary code execution via DNS NS entry poisoning (SEC-64).

cPanel before 76.0.8 allows remote attackers to execute arbitrary code via mailing-list attachments (SEC-452).

cPanel before 74.0.0 allows SQL injection during database backups (SEC-420).

cPanel before 82.0.18 allows WebDAV authentication bypass because the connection-sharing logic is incorrect (SEC-534).

cPanel before 84.0.20 allows a demo account to achieve remote code execution via a cpsrvd rsync shell (SEC-544).

cPanel before 84.0.20 allows a demo account to achieve code execution via PassengerApps APIs (SEC-546).

cPanel before 88.0.3 mishandles the Exim filter path, leading to remote code execution (SEC-485).

chsh in cPanel before 88.0.3 allows a Jailshell escape (SEC-497).

In cPanel before 88.0.3, insecure RNDC credentials are used for BIND on a templated VM (SEC-549).

In cPanel before 88.0.3, insecure chkservd test credentials are used on a templated VM (SEC-554).

cPanel before 88.0.13 mishandles file-extension dispatching, leading to code execution (SEC-488).

Multiple cross-site scripting (XSS) vulnerabilities in cPanel 9.1.0-R85 allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to testfile.html, (2) file parameter to erredit.html, (3) dns parameter to dnslook.html, (4) account parameter to ignorelist.html, (5) account parameter to showlog.html, (6) db parameter to repairdb.html, (7) login parameter to doaddftp.html (8) account parameter to editmsg.htm, or (9) ip parameter to del.html. NOTE: the dnslook.html vector was later reported to exist in cPanel 10.

cPanel before 84.0.20 mishandles enforcement of demo checks in the Market UAPI namespace (SEC-542).

cPanel before 84.0.20 allows a demo account to modify files via Branding API calls (SEC-543).

Unspecified vulnerability in cPanel before 10.9.0 12 Tree allows remote authenticated users to gain privileges via unspecified vectors in (1) mysqladmin and (2) hooksadmin.

cPanel before 60.0.25 allows arbitrary code execution via Maketext in PostgreSQL adminbin (SEC-188).

In cPanel before 57.9999.54, /scripts/addpop and /scripts/delpop exposed TTYs (SEC-113).

In cPanel before 57.9999.54, /scripts/checkinfopages exposed a TTY to an unprivileged process (SEC-114).

In cPanel before 57.9999.54, /scripts/maildir_converter exposed a TTY to an unprivileged process (SEC-115).