Cpanel » Cpanel : Security Vulnerabilities, CVEs, Published In 2019 (Information Leak)

cPanel before 68.0.27 creates world-readable files during use of WHM Apache Includes Editor (SEC-388).

cPanel before 68.0.27 allows attackers to read zone information because a world-readable archive is created by the archive_sync_zones script (SEC-355).

cPanel before 68.0.27 allows attackers to read a copy of httpd.conf that is created during a syntax test (SEC-353).

cPanel before 68.0.27 allows attackers to read root's crontab file during a short time interval upon a post-update task (SEC-352).

cPanel before 68.0.27 allows attackers to read root's crontab file during a short time interval upon configuring crontab (SEC-351).

cPanel before 68.0.27 allows arbitrary file-read operations via restore adminbin (SEC-349).

cPanel before 68.0.27 allows a user to discover contents of directories (that are not owned by that user) by leveraging backups (SEC-339).

cPanel before 70.0.23 allows attackers to read the root accesshash via the WHM /cgi/trustclustermaster.cgi (SEC-364).

cPanel before 71.9980.37 allows attackers to read root's crontab file by leveraging ClamAV installation (SEC-408).

cPanel before 74.0.0 makes web-site contents accessible to other local users via Git repositories (SEC-443).

cPanel before 74.0.0 allows certain file-read operations via password file caching (SEC-425).

The WebDAV transport feature in cPanel before 76.0.8 enables debug logging (SEC-467).

In cPanel before 62.0.4 incorrect ACL checks could occur in xml-api for Rearrange Account actions (SEC-207).

cPanel before 62.0.4 allows arbitrary file-read operations via Exim valiases (SEC-201).

cPanel before 64.0.21 allows demo accounts to read files via a Fileman::getfileactions API2 call (SEC-239).

In cPanel before 64.0.21, Horde MySQL to SQLite conversion can leak a database password (SEC-234).

In cPanel before 66.0.2, Apache HTTP Server domlogs become temporarily world-readable during log processing (SEC-290).

In cPanel before 66.0.2, the Apache HTTP Server configuration file is changed to world-readable when rebuilt (SEC-274).

cPanel before 68.0.15 allows arbitrary file-read operations via Exim vdomainaliases (SEC-329).

cPanel before 68.0.15 allows attackers to read backup files because they are world-readable during a short time interval (SEC-323).

The chcpass script in cPanel before 11.54.0.4 reveals a password hash (SEC-77).

cPanel before 57.9999.54 allows arbitrary file-read operations for Webmail accounts via Branding APIs (SEC-120).

In cPanel before 57.9999.54, /scripts/unsuspendacct exposed TTYs (SEC-116).

In cPanel before 57.9999.54, /scripts/maildir_converter exposed a TTY to an unprivileged process (SEC-115).

In cPanel before 57.9999.54, /scripts/checkinfopages exposed a TTY to an unprivileged process (SEC-114).