| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Multiple cross-site scripting (XSS) vulnerabilities in cPanel WebHost Manager (WHM) 3.1.0 allow remote authenticated users to inject arbitrary web script or HTML via the (1) email parameter to (a) scripts2/dochangeemail, the (2) supporturl parameter to (b) cgi/addon_configsupport.cgi, the (3) pkg parameter to (c) scripts/editpkg, the (4) domain parameter to (d) scripts2/domts2 and (e) scripts/editzone, the (5) feature parameter to (g) scripts2/dofeaturemanager, and the (6) ndomain parameter to (h) scripts/park. |
| Cross-site scripting (XSS) vulnerability in frontend/x/manpage.html in cPanel 11.18.3 and 11.21.0-BETA allows remote attackers to inject arbitrary web script or HTML via the query string. |
| Remote file inclusion vulnerability in scripts2/objcache in cPanel WebHost Manager (WHM) allows remote attackers to execute arbitrary code via a URL in the obj parameter. NOTE: a third party claims that this issue is not file inclusion because the contents are not parsed, but the attack can be used to overwrite files in /var/cpanel/objcache or provide unexpected web page contents. |
| The WHM interface 11.15.0 for cPanel 11.18 before 11.18.4 and 11.22 before 11.22.3 allows remote attackers to bypass XSS protection and inject arbitrary script or HTML via repeated, improperly-ordered "<" and ">" characters in the (1) issue parameter to scripts2/knowlegebase, (2) user parameter to scripts2/changeip, (3) search parameter to scripts2/listaccts, and other unspecified vectors. |
| Directory traversal vulnerability in frontend/x3/stats/lastvisit.html in cPanel allows remote attackers to read arbitrary files via a .. (dot dot) in the domain parameter. |
| scripts/wwwacct in cPanel 11.18.6 STABLE and earlier and 11.23.1 CURRENT and earlier allows remote authenticated users with reseller privileges to execute arbitrary code via shell metacharacters in the Email address field (aka Email text box). NOTE: the vendor disputes this, stating "I'm unable to reproduce such an issue on multiple servers running different versions of cPanel. |
| Multiple cross-site scripting (XSS) vulnerabilities in WebHostManager (WHM) 10.8.0 cPanel 10.9.0 R50 allow remote attackers to inject arbitrary web script or HTML via the (1) theme parameter to scripts/dosetmytheme and the (2) template parameter to scripts2/editzonetemplate. |
| Directory traversal vulnerability in autoinstall4imagesgalleryupgrade.php in the Fantastico De Luxe Module for cPanel allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the scriptpath_show parameter in a GoAhead action. NOTE: this issue only crosses privilege boundaries when security settings such as disable_functions and safe_mode are active, since exploitation requires uploading of executable code to a home directory. |
| Cross-site scripting (XSS) vulnerability in mail/manage.html in BoxTrapper in cPanel 11 allows remote attackers to inject arbitrary web script or HTML via the account parameter. |
| fantastico in Cpanel does not properly handle when it has insufficient permissions to perform certain file operations, which allows remote authenticated users to obtain the full pathname, which is leaked in a PHP error message. |
| Cross-site scripting (XSS) vulnerability in dowebmailforward.cgi in cPanel allows remote attackers to inject arbitrary web script or HTML via a URL encoded value in the fwd parameter. |
| Multiple cross-site scripting (XSS) vulnerabilities in cPanel 9.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to dodelautores.html or (2) handle parameter to addhandle.html. |
| Cross-site scripting (XSS) vulnerability in mime/handle.html in cPanel 10 allows remote attackers to inject arbitrary web script or HTML via the (1) file extension or (2) mime-type. |
| Multiple cross-site scripting (XSS) vulnerabilies in cPanel 10 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to (a) editquota.html or (b) dodelpop.html; (2) showtree parameter to (c) diskusage.html; or the (3) mon, (4) year, (5) target, or (6) domain parameter to (d) stats/detailbw.html. |
| The login page for cPanel 9.1.0, and possibly other versions, allows remote attackers to execute arbitrary code via shell metacharacters in the user parameter. |
| cPanel, when compiling Apache 1.3.29 and PHP with the mod_phpsuexec option, does not set the --enable-discard-path option, which causes php to use the SCRIPT_FILENAME variable to find and execute a script instead of the PATH_TRANSLATED variable, which allows local users to execute arbitrary PHP code as other users via a URL that references the attacker's script after the user's script, which executes the attacker's script with the user's privileges, a different vulnerability than CVE-2004-0529. |
| Cross-site scripting (XSS) vulnerability in webmailaging.cgi in cPanel allows remote attackers to inject arbitrary web script or HTML via the numdays parameter. |
| Cross-site scripting (XSS) vulnerability in cPanel 9.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the user parameter in the login page. |
| cPanel 9.9.1-RELEASE-3 allows remote authenticated users to chmod arbitrary files via a symlink attack on the _private directory, which is created when Front Page extensions are enabled. |
| Cross-site scripting (XSS) vulnerability in cPanel 6.4.2 allows remote attackers to insert arbitrary HTML and possibly gain cPanel administrator privileges via script in a URL that is logged but not properly quoted when displayed via the (1) Error Log or (2) Latest Visitors screens. |
