CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   

Cpanel : Security Vulnerabilities (CVSS score between 2 and 2.99)

CVSS Scores Greater Than: 0   1   2   3   4   5   6   7   8   9  
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-38590 732 2021-08-11 2022-05-03
2.1
 None Local Low Not required Partial None None
In cPanel before 96.0.8, weak permissions on web stats can lead to information disclosure (SEC-584).
2 CVE-2021-38586 2021-08-11 2021-08-20
2.1
 None Local Low Not required None Partial None
In cPanel before 98.0.1, /scripts/cpan_config performs unsafe operations on files (SEC-589).
3 CVE-2019-20494 20 2020-03-17 2021-07-21
2.1
 None Local Low Not required Partial None None
In cPanel before 82.0.18, Cpanel::Rand::Get can produce a predictable series of numbers (SEC-525).
4 CVE-2019-14414 2019-07-30 2020-08-24
2.1
 None Local Low Not required None Partial None
In cPanel before 78.0.2, a Userdata cache temporary file can conflict with domains (SEC-478).
5 CVE-2019-14412 134 2019-07-30 2019-07-30
2.1
 None Local Low Not required None Partial None
Maketext in cPanel before 78.0.2 allows format-string injection in the DCV check_domains_via_dns UAPI (SEC-474).
6 CVE-2019-14410 134 2019-07-30 2019-07-30
2.1
 None Local Low Not required None Partial None
Maketext in cPanel before 78.0.2 allows format-string injection in the Email store_filter UAPI (SEC-472).
7 CVE-2019-14409 200 +Info 2019-07-30 2021-07-21
2.1
 None Local Low Not required Partial None None
cPanel before 78.0.2 allows arbitrary file-read operations via Passenger adminbin (SEC-466).
8 CVE-2019-14402 2019-07-30 2020-08-24
2.1
 None Local Low Not required None Partial None
cPanel before 78.0.18 unsafely determines terminal capabilities by using infocmp (SEC-481).
9 CVE-2019-14396 2019-07-30 2020-08-24
2.1
 None Local Low Not required None Partial None
API Analytics adminbin in cPanel before 80.0.5 allows spoofed insertions of log data (SEC-495).
10 CVE-2019-14395 200 +Info 2019-07-30 2021-07-21
2.1
 None Local Low Not required Partial None None
cPanel before 80.0.5 uses world-readable permissions for the Queueprocd log (SEC-494).
11 CVE-2019-14394 200 +Info 2019-07-30 2021-07-21
2.1
 None Local Low Not required Partial None None
cPanel before 80.0.5 allows unsafe file operations in the context of the root account via the fetch_ssl_certificates_for_fqdns API (SEC-489).
12 CVE-2019-14391 2019-07-30 2020-08-24
2.1
 None Local Low Not required None Partial None
cPanel before 82.0.2 does not properly enforce Reseller package creation ACLs (SEC-514).
13 CVE-2019-14389 2019-07-30 2020-08-24
2.1
 None Local Low Not required Partial None None
cPanel before 82.0.2 allows local users to discover the MySQL root password (SEC-510).
14 CVE-2018-20947 668 2019-08-01 2019-08-08
2.1
 None Local Low Not required None Partial None
cPanel before 68.0.27 allows certain file-write operations via the telnetcrt script (SEC-356).
15 CVE-2018-20946 200 +Info 2019-08-01 2019-08-07
2.1
 None Local Low Not required Partial None None
cPanel before 68.0.27 allows attackers to read zone information because a world-readable archive is created by the archive_sync_zones script (SEC-355).
16 CVE-2018-20944 200 +Info 2019-08-01 2019-08-07
2.1
 None Local Low Not required Partial None None
cPanel before 68.0.27 allows attackers to read a copy of httpd.conf that is created during a syntax test (SEC-353).
17 CVE-2018-20940 362 2019-08-01 2019-08-07
2.1
 None Local Low Not required Partial None None
cPanel before 68.0.27 allows attackers to read root's crontab file during a short time interval upon the enabling of backups (SEC-342).
18 CVE-2018-20939 200 +Info 2019-08-01 2019-08-07
2.1
 None Local Low Not required Partial None None
cPanel before 68.0.27 allows a user to discover contents of directories (that are not owned by that user) by leveraging backups (SEC-339).
19 CVE-2018-20936 732 2019-08-01 2020-08-24
2.1
 None Local Low Not required Partial None None
cPanel before 68.0.27 allows attackers to read the SRS secret via exim.conf (SEC-308).
20 CVE-2018-20927 285 2019-08-01 2019-08-12
2.1
 None Local Low Not required Partial None None
cPanel before 70.0.23 allows jailshell escape because of incorrect crontab parsing (SEC-382).
21 CVE-2018-20917 20 2019-08-01 2019-08-01
2.1
 None Local Low Not required None None Partial
cPanel before 70.0.23 allows any user to disable Solr (SEC-371).
22 CVE-2018-20908 732 2019-08-01 2020-08-24
2.1
 None Local Low Not required Partial None None
cPanel before 71.9980.37 allows arbitrary file-read operations during pkgacct custom template handling (SEC-435).
23 CVE-2018-20902 200 +Info 2019-08-01 2019-08-02
2.1
 None Local Low Not required Partial None None
cPanel before 71.9980.37 allows attackers to read root's crontab file by leveraging ClamAV installation (SEC-408).
24 CVE-2018-20894 200 +Info 2019-08-01 2019-08-07
2.1
 None Local Low Not required Partial None None
cPanel before 74.0.0 makes web-site contents accessible to other local users via Git repositories (SEC-443).
25 CVE-2018-20893 20 2019-08-01 2019-08-06
2.1
 None Local Low Not required None Partial None
cPanel before 74.0.0 allows file-rename operations during account renames (SEC-442).
26 CVE-2018-20880 2019-08-01 2020-08-24
2.1
 None Local Low Not required None None Partial
cPanel before 74.0.8 mishandles account suspension because of an invalid email_accounts.json file (SEC-445).
27 CVE-2018-20873 20 2019-08-01 2019-08-08
2.1
 None Local Low Not required None None Partial
cPanel before 74.0.8 allows local users to disable the ClamAV daemon (SEC-409).
28 CVE-2018-20870 200 +Info 2019-07-30 2019-07-31
2.1
 None Local Low Not required Partial None None
The WebDAV transport feature in cPanel before 76.0.8 enables debug logging (SEC-467).
29 CVE-2018-20862 2019-07-30 2020-08-24
2.1
 None Local Low Not required Partial None None
cPanel before 76.0.8 unsafely performs PostgreSQL password changes (SEC-366).
30 CVE-2017-18465 20 2019-08-05 2019-08-12
2.1
 None Local Low Not required None Partial None
cPanel before 62.0.17 does not have a sufficient list of reserved usernames (SEC-227).
31 CVE-2017-18449 20 2019-08-02 2019-08-08
2.1
 None Local Low Not required None Partial None
cPanel before 64.0.21 allows certain file-rename operations in the context of the root account via scripts/convert_roundcube_mysql2sqlite (SEC-254).
32 CVE-2017-18436 200 +Info 2019-08-02 2019-08-09
2.7
 None Local Network Low ??? Partial None None
cPanel before 64.0.21 allows demo accounts to read files via a Fileman::getfileactions API2 call (SEC-239).
33 CVE-2017-18432 200 +Info 2019-08-02 2019-08-12
2.1
 None Local Low Not required Partial None None
In cPanel before 64.0.21, Horde MySQL to SQLite conversion can leak a database password (SEC-234).
34 CVE-2017-18429 254 2019-08-02 2019-09-24
2.1
 None Local Low Not required Partial None None
In cPanel before 66.0.2, Apache HTTP Server SSL domain logs can persist on disk after an account termination (SEC-291).
35 CVE-2017-18427 275 2019-08-02 2019-08-12
2.1
 None Local Low Not required Partial None None
In cPanel before 66.0.2, weak log-file permissions can occur after account modification (SEC-289).
36 CVE-2017-18424 200 +Info 2019-08-02 2019-08-06
2.1
 None Local Low Not required Partial None None
In cPanel before 66.0.2, the Apache HTTP Server configuration file is changed to world-readable when rebuilt (SEC-274).
37 CVE-2017-18423 532 2019-08-02 2019-08-06
2.1
 None Local Low Not required Partial None None
In cPanel before 66.0.2, domain log files become readable after log processing (SEC-273).
38 CVE-2017-18422 275 2019-08-02 2019-08-06
2.1
 None Local Low Not required Partial None None
In cPanel before 66.0.2, EasyApache 4 conversion sets weak domlog ownership and permissions (SEC-272).
39 CVE-2017-18421 284 2019-08-02 2019-08-06
2.1
 None Local Low Not required Partial None None
cPanel before 66.0.2 allows demo accounts to create databases and users (SEC-271).
40 CVE-2017-18405 20 2019-08-02 2019-08-12
2.1
 None Local Low Not required Partial None None
cPanel before 68.0.15 allows arbitrary file-read operations because of the backup .htaccess modification logic (SEC-345).
41 CVE-2017-18397 275 2019-08-02 2019-08-13
2.1
 None Local Low Not required Partial None None
cPanel before 68.0.15 does not preserve permissions for local backup transport (SEC-330).
42 CVE-2017-18392 20 2019-08-02 2019-08-13
2.1
 None Remote High ??? None Partial None
cPanel before 68.0.15 allows collisions because PostgreSQL databases can be assigned to multiple accounts (SEC-325).
43 CVE-2017-18385 284 2019-08-02 2019-08-06
2.1
 None Local Low Not required Partial None None
cPanel before 68.0.15 allows unprivileged users to access restricted directories during account restores (SEC-311).
44 CVE-2017-18384 284 2019-08-02 2019-08-06
2.1
 None Local Low Not required Partial None None
cPanel before 68.0.15 allows jailed accounts to restore files that are outside of the jail (SEC-310).
45 CVE-2016-10841 199 2019-08-01 2019-08-08
2.1
 None Remote High ??? Partial None None
The bin/mkvhostspasswd script in cPanel before 11.54.0.4 discloses password hashes (SEC-73).
46 CVE-2016-10799 284 2019-08-07 2019-08-13
2.1
 None Local Low Not required None Partial None
cPanel before 58.0.4 does not set the Pear tmp directory during a PHP installation (SEC-137).
47 CVE-2016-10796 275 2019-08-06 2019-08-13
2.1
 None Local Low Not required Partial None None
cPanel before 58.0.4 initially uses weak permissions for Apache HTTP Server log files (SEC-130).
48 CVE-2016-10772 254 2019-08-05 2019-08-09
2.1
 None Local Low Not required None Partial None
cPanel before 60.0.25 does not enforce feature-list restrictions when calling the multilang adminbin (SEC-168).
49 CVE-2006-3337 XSS 2006-07-03 2018-10-18
2.6
 None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in frontend/x/files/select.html in cPanel 10.8.2-CURRENT 118 and earlier allows remote attackers to inject arbitrary web script or HTML via the file parameter.
Total number of vulnerabilities : 49   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.