Latest cpanel cpanel Vulnerabilities

CVE-2023-29489
An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.1...
Cpanel Cpanel<11.102.0.31
Cpanel Cpanel>=11.104.0<11.106.0.18
Cpanel Cpanel>=11.108.0<11.108.0.13
Cpanel Cpanel>=11.109.0<11.109.9999.116
CVE-2021-38588
In cPanel before 96.0.13, fix_cpanel_perl lacks verification of the integrity of downloads (SEC-587).
Cpanel Cpanel<96.0.13
CVE-2021-38584
The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585).
Cpanel Cpanel<98.0.1
CVE-2021-38587
In cPanel before 96.0.13, scripts/fix-cpanel-perl mishandles the creation of temporary files (SEC-586).
Cpanel Cpanel<96.0.13
CVE-2021-38586
In cPanel before 98.0.1, /scripts/cpan_config performs unsafe operations on files (SEC-589).
Cpanel Cpanel>=11.94.0.0<11.94.0.13
Cpanel Cpanel>=11.96.0.0<11.96.0.13
Cpanel Cpanel>=11.98.0.0<11.98.0.1
CVE-2021-38585
The WHM Locale Upload feature in cPanel before 98.0.1 allows unserialization attacks (SEC-585).
Cpanel Cpanel<98.0.1
CVE-2021-38589
In cPanel before 96.0.13, scripts/fix-cpanel-perl does not properly restrict the overwriting of files (SEC-588).
Cpanel Cpanel<11.96.0.13
CVE-2021-38590
In cPanel before 96.0.8, weak permissions on web stats can lead to information disclosure (SEC-584).
Cpanel Cpanel<11.98.0.8
CVE-2021-31803
cPanel before 94.0.3 allows self-XSS via EasyApache 4 Save Profile (SEC-581).
Cpanel Cpanel<94.0.3
CVE-2021-26267
cPanel before 92.0.9 allows a MySQL user (who has an old-style password hash) to bypass suspension (SEC-579).
Cpanel Cpanel<92.0.9
CVE-2021-26266
cPanel before 92.0.9 allows a Reseller to bypass the suspension lock (SEC-578).
Cpanel Cpanel<92.0.9
CVE-2020-29136
In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach (SEC-575).
Cpanel Cpanel<11.86.0.32
Cpanel Cpanel>=11.90.0<11.90.0.17
Cpanel Cpanel>=11.92.0<11.92.0.2
CVE-2020-29137
cPanel before 90.0.17 allows self-XSS via the WHM Transfer Tool interface (SEC-577).
Cpanel Cpanel<90.0.17
CVE-2020-29135
cPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567).
Cpanel Cpanel<90.0.17
CVE-2020-26108
cPanel before 88.0.13 mishandles file-extension dispatching, leading to code execution (SEC-488).
Cpanel Cpanel<88.0.13
CVE-2020-26106
cPanel before 88.0.3 has weak permissions (world readable) for the proxy subdomains log file (SEC-558).
Cpanel Cpanel<88.0.3
CVE-2020-26104
In cPanel before 88.0.3, an insecure SRS secret is used on a templated VM (SEC-552).
Cpanel Cpanel<88.0.3
CVE-2020-26113
cPanel before 90.0.10 allows self XSS via WHM Manage API Tokens interfaces (SEC-569).
Cpanel Cpanel<90.0.10
CVE-2020-26111
cPanel before 90.0.10 allows self XSS via the WHM Edit DNS Zone interface (SEC-566).
Cpanel Cpanel<90.0.10
CVE-2020-26112
The email quota cache in cPanel before 90.0.10 allows overwriting of files.
Cpanel Cpanel<90.0.10
CVE-2020-26115
cPanel before 90.0.10 allows self XSS via the Cron Editor interface (SEC-574).
Cpanel Cpanel<90.0.10
CVE-2020-26114
cPanel before 90.0.10 allows self XSS via the Cron Jobs interface (SEC-573).
Cpanel Cpanel<90.0.10
CVE-2020-26107
cPanel before 88.0.3, upon an upgrade, establishes predictable PowerDNS API keys (SEC-561).
Cpanel Cpanel<88.0.3
CVE-2020-26105
In cPanel before 88.0.3, insecure chkservd test credentials are used on a templated VM (SEC-554).
Cpanel Cpanel<88.0.3
CVE-2020-26103
In cPanel before 88.0.3, an insecure site password is used for Mailman on a templated VM (SEC-551).
Cpanel Cpanel<88.0.3
CVE-2020-26100
chsh in cPanel before 88.0.3 allows a Jailshell escape (SEC-497).
Cpanel Cpanel<88.0.3
CVE-2020-26101
In cPanel before 88.0.3, insecure RNDC credentials are used for BIND on a templated VM (SEC-549).
Cpanel Cpanel<88.0.3
CVE-2020-26099
cPanel before 88.0.3 allows attackers to bypass the SMTP greylisting protection mechanism (SEC-491).
Cpanel Cpanel<88.0.3
CVE-2020-26098
cPanel before 88.0.3 mishandles the Exim filter path, leading to remote code execution (SEC-485).
Cpanel Cpanel<88.0.3
CVE-2020-12784
cPanel before 86.0.14 allows remote attackers to trigger a bandwidth suspension via mail log strings (SEC-505).
Cpanel Cpanel>=11.78.0.1<11.78.0.47
Cpanel Cpanel>=11.84.0.0<11.84.0.22
Cpanel Cpanel>=11.86.0.1<11.86.0.14
CVE-2020-10121
Cpanel Cpanel>=77.9999.110<78.0.45
Cpanel Cpanel>=83.9999.115<84.0.20
CVE-2020-10122
cPanel before 84.0.20 allows a webmail or demo account to delete arbitrary files (SEC-547).
Cpanel Cpanel>=77.9999.110<78.0.45
Cpanel Cpanel>=83.9999.115<84.0.20
CVE-2019-20495
cPanel before 82.0.18 allows attackers to read an arbitrary database via MySQL dump streaming (SEC-531).
Cpanel Cpanel>=81.9999.242<82.0.18
Cpanel Cpanel>=83.9999.115<84.0.10
CVE-2020-10113
cPanel before 84.0.20 allows self XSS via a temporary character-set specification (SEC-515).
Cpanel Cpanel>=77.9999.110<78.0.45
Cpanel Cpanel>=83.9999.115<84.0.20
CVE-2020-10116
cPanel before 84.0.20 allows attackers to bypass intended restrictions on features and demo accounts via WebDisk UAPI calls (SEC-541).
Cpanel Cpanel>=77.9999.110<78.0.45
Cpanel Cpanel>=83.9999.115<84.0.20
CVE-2019-20494
In cPanel before 82.0.18, Cpanel::Rand::Get can produce a predictable series of numbers (SEC-525).
Cpanel Cpanel>=77.9999.110<78.0.43
Cpanel Cpanel>=81.9999.242<82.0.18
Cpanel Cpanel>=83.9999.115<84.0.10
CVE-2020-10114
cPanel before 84.0.20 allows stored self-XSS via the HTML file editor (SEC-535).
Cpanel Cpanel>=77.9999.110<78.0.45
Cpanel Cpanel>=83.9999.115<84.0.20
CVE-2020-10115
cPanel before 84.0.20, when PowerDNS is used, allows arbitrary code execution as root via dnsadmin. (SEC-537).
Cpanel Cpanel>=77.9999.110<78.0.45
Cpanel Cpanel>=83.9999.115<84.0.20
CVE-2019-20496
cPanel before 82.0.18 allows attackers to conduct arbitrary chown operations as root during log processing (SEC-532).
Cpanel Cpanel>=77.9999.110<78.0.43
Cpanel Cpanel>=81.9999.242<82.0.18
Cpanel Cpanel>=83.9999.115<84.0.10
CVE-2020-10118
cPanel before 84.0.20 allows a demo account to modify files via Branding API calls (SEC-543).
Cpanel Cpanel>=77.9999.110<78.0.45
Cpanel Cpanel>=83.9999.115<84.0.20
CVE-2019-20497
cPanel before 82.0.18 allows stored XSS via WHM Backup Restoration (SEC-533).
Cpanel Cpanel>=77.9999.110<78.0.43
Cpanel Cpanel>=81.9999.242<82.0.18
Cpanel Cpanel>=83.9999.115<84.0.10
CVE-2020-10119
cPanel before 84.0.20 allows a demo account to achieve remote code execution via a cpsrvd rsync shell (SEC-544).
Cpanel Cpanel<84.0.20
CVE-2020-10117
cPanel before 84.0.20 mishandles enforcement of demo checks in the Market UAPI namespace (SEC-542).
Cpanel Cpanel>=77.9999.110<78.0.45
Cpanel Cpanel>=83.9999.115<84.0.20
CVE-2019-20498
cPanel before 82.0.18 allows WebDAV authentication bypass because the connection-sharing logic is incorrect (SEC-534).
Cpanel Cpanel>=77.9999.110<78.0.43
Cpanel Cpanel>=81.9999.242<82.0.18
Cpanel Cpanel>=83.9999.115<84.0.10
CVE-2019-20490
cPanel before 82.0.18 allows authentication bypass because webmail usernames are processed inconsistently (SEC-499).
Cpanel Cpanel>=77.9999.110<78.0.43
Cpanel Cpanel>=81.9999.242<82.0.18
Cpanel Cpanel>=83.9999.115<84.0.10
CVE-2019-20493
cPanel before 82.0.18 allows self-XSS because JSON string escaping is mishandled (SEC-520).
Cpanel Cpanel>=77.9999.110<78.0.43
Cpanel Cpanel>=81.9999.242<82.0.18
Cpanel Cpanel>=83.9999.115<84.0.10
CVE-2019-20492
cPanel before 82.0.18 allows authentication bypass because of misparsing of the format of the password file (SEC-516).
Cpanel Cpanel>=77.9999.110<78.0.43
Cpanel Cpanel>=81.9999.242<82.0.18
Cpanel Cpanel>=83.9999.115<84.0.10
CVE-2012-6449
The clientconf.html and detailbw.html pages in x3 in cPanel & WHM 11.34.0 (build 8) have a XSS vulnerability.
Cpanel Cpanel=11.34.0
Cpanel Whm=11.34.0
CVE-2019-17380
cPanel before 82.0.15 allows self XSS in the WHM Update Preferences interface (SEC-528).
Cpanel Cpanel<82.0.15
CVE-2019-17379
cPanel before 82.0.15 allows self stored XSS in the WHM SSL Storage Manager interface (SEC-527).
Cpanel Cpanel>=77.9999.110<78.0.39
Cpanel Cpanel>=81.9999.242<82.0.15

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203