Cpanel : Security Vulnerabilities CVSS score between 7 and 7.99
In cPanel before 96.0.13, scripts/fix-cpanel-perl mishandles the creation of temporary files (SEC-586).
| Max Base Score | 7.5 |
| Published | 2021-08-11 |
| Updated | 2022-07-12 |
| EPSS | 0.07% |
The WHM Locale Upload feature in cPanel before 98.0.1 allows unserialization attacks (SEC-585).
| Max Base Score | 7.2 |
| Published | 2021-08-11 |
| Updated | 2021-08-20 |
| EPSS | 0.10% |
The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585).
| Max Base Score | 7.2 |
| Published | 2021-08-11 |
| Updated | 2021-08-20 |
| EPSS | 0.10% |
cPanel before 92.0.9 allows a MySQL user (who has an old-style password hash) to bypass suspension (SEC-579).
| Max Base Score | 7.5 |
| Published | 2021-01-26 |
| Updated | 2021-02-03 |
| EPSS | 0.07% |
cPanel before 92.0.9 allows a Reseller to bypass the suspension lock (SEC-578).
| Max Base Score | 7.5 |
| Published | 2021-01-26 |
| Updated | 2021-02-03 |
| EPSS | 0.07% |
The email quota cache in cPanel before 90.0.10 allows overwriting of files.
| Max Base Score | 7.5 |
| Published | 2020-09-25 |
| Updated | 2020-09-29 |
| EPSS | 0.08% |
cPanel before 88.0.13 allows bypass of a protection mechanism that attempted to restrict package modification (SEC-557).
| Max Base Score | 7.5 |
| Published | 2020-09-25 |
| Updated | 2020-09-29 |
| EPSS | 0.08% |
cPanel before 88.0.3, upon an upgrade, establishes predictable PowerDNS API keys (SEC-561).
| Max Base Score | 7.5 |
| Published | 2020-09-25 |
| Updated | 2021-07-21 |
| EPSS | 0.17% |
cPanel before 88.0.3 has weak permissions (world readable) for the proxy subdomains log file (SEC-558).
| Max Base Score | 7.5 |
| Published | 2020-09-25 |
| Updated | 2021-07-21 |
| EPSS | 0.17% |
In cPanel before 88.0.3, an insecure SRS secret is used on a templated VM (SEC-552).
| Max Base Score | 7.5 |
| Published | 2020-09-25 |
| Updated | 2020-09-29 |
| EPSS | 0.17% |
In cPanel before 88.0.3, an insecure site password is used for Mailman on a templated VM (SEC-551).
| Max Base Score | 7.5 |
| Published | 2020-09-25 |
| Updated | 2020-09-29 |
| EPSS | 0.17% |
In cPanel before 88.0.3, an insecure auth policy API key is used by Dovecot on a templated VM (SEC-550).
| Max Base Score | 7.5 |
| Published | 2020-09-25 |
| Updated | 2021-07-21 |
| EPSS | 0.17% |
cPanel before 88.0.3 allows attackers to bypass the SMTP greylisting protection mechanism (SEC-491).
| Max Base Score | 7.5 |
| Published | 2020-09-25 |
| Updated | 2020-09-29 |
| EPSS | 0.08% |
cPanel before 78.0.18 allows local users to escalate to root access because of userdata cache misparsing (SEC-479).
| Max Base Score | 7.8 |
| Published | 2019-07-30 |
| Updated | 2020-08-24 |
| EPSS | 0.05% |
The SSL certificate-storage feature in cPanel before 78.0.18 allows unsafe file operations in the context of the root account (SEC-477).
| Max Base Score | 7.1 |
| Published | 2019-07-30 |
| Updated | 2021-07-21 |
| EPSS | 0.04% |
cPanel before 82.0.2 allows local users to discover the MySQL root password (SEC-510).
| Max Base Score | 7.8 |
| Published | 2019-07-30 |
| Updated | 2020-08-24 |
| EPSS | 0.04% |
cPanel before 82.0.2 allows unauthenticated file creation because Exim log parsing is mishandled (SEC-507).
| Max Base Score | 7.5 |
| Published | 2019-07-30 |
| Updated | 2020-08-24 |
| EPSS | 0.08% |
bin/csvprocess in cPanel before 68.0.27 allows insecure file operations (SEC-354).
| Max Base Score | 7.9 |
| Published | 2019-08-01 |
| Updated | 2019-08-13 |
| EPSS | 0.05% |
cPanel before 70.0.23 allows local privilege escalation via the WHM Locale XML Upload interface (SEC-380).
| Max Base Score | 7.2 |
| Published | 2019-08-01 |
| Updated | 2020-08-24 |
| EPSS | 0.04% |
cPanel before 70.0.23 allows arbitrary file-read and file-unlink operations via WHM style uploads (SEC-378).
| Max Base Score | 7.5 |
| Published | 2019-08-01 |
| Updated | 2019-08-08 |
| EPSS | 0.07% |
In cPanel before 70.0.23, OpenID providers can inject arbitrary data into cPanel session files (SEC-368).
| Max Base Score | 7.3 |
| Published | 2019-08-01 |
| Updated | 2019-08-02 |
| EPSS | 0.07% |
cPanel before 70.0.23 allows code execution because "." is in @INC during a Perl syntax check of cpaddonsup (SEC-359).
| Max Base Score | 7.2 |
| Published | 2019-08-01 |
| Updated | 2019-08-02 |
| EPSS | 0.11% |
cPanel before 70.0.23 allows arbitrary file-chmod operations during legacy incremental backups (SEC-338).
| Max Base Score | 7.1 |
| Published | 2019-08-01 |
| Updated | 2020-08-24 |
| EPSS | 0.04% |
In cPanel before 71.9980.37, API tokens retain ACLs after those ACLs are removed from the corresponding accounts (SEC-393).
| Max Base Score | 7.2 |
| Published | 2019-08-01 |
| Updated | 2019-08-07 |
| EPSS | 0.09% |
cPanel before 76.0.8 allows arbitrary code execution in the context of the root account via dnssec adminbin (SEC-465).
| Max Base Score | 7.8 |
| Published | 2019-07-30 |
| Updated | 2019-07-31 |
| EPSS | 0.04% |