Vulnerabilities > Cpanel > Cpanel > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-08-01 | CVE-2016-10837 | Untrusted Search Path vulnerability in Cpanel cPanel before 11.54.0.4 allows arbitrary code execution because of an unsafe @INC path (SEC-46). | 8.5 |
| 2019-08-01 | CVE-2018-20887 | SQL Injection vulnerability in Cpanel cPanel before 74.0.0 allows SQL injection during database backups (SEC-420). | 7.5 |
| 2019-07-30 | CVE-2019-14400 | Unspecified vulnerability in Cpanel cPanel before 78.0.18 allows local users to escalate to root access because of userdata cache misparsing (SEC-479). | 7.2 |
| 2019-07-30 | CVE-2018-20869 | Improper Input Validation vulnerability in Cpanel cPanel before 76.0.8 allows arbitrary code execution in the context of the root account via dnssec adminbin (SEC-465). | 7.2 |
| 2019-07-30 | CVE-2018-20863 | Improper Input Validation vulnerability in Cpanel cPanel before 76.0.8 allows remote attackers to execute arbitrary code via mailing-list attachments (SEC-452). | 7.5 |
| 2007-06-22 | CVE-2007-3367 | Path Disclosure And Cross-Site Scripting vulnerability in CPanel SCGIwrap Simple CGI Wrapper (scgiwrap) in cPanel before 10.9.1, and 11.x before 11.4.19-R14378, allows remote attackers to obtain sensitive information via a direct request, which reveals the path in an error message. | 7.8 |
| 2004-08-18 | CVE-2004-0490 | Local Privilege Escalation vulnerability in cPanel cPanel, when compiling Apache 1.3.29 and PHP with the mod_phpsuexec option, does not set the --enable-discard-path option, which causes php to use the SCRIPT_FILENAME variable to find and execute a script instead of the PATH_TRANSLATED variable, which allows local users to execute arbitrary PHP code as other users via a URL that references the attacker's script after the user's script, which executes the attacker's script with the user's privileges, a different vulnerability than CVE-2004-0529. | 7.2 |