Vulnerabilities > Cpanel
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-07-30 | CVE-2019-14391 | Unspecified vulnerability in Cpanel cPanel before 82.0.2 does not properly enforce Reseller package creation ACLs (SEC-514). | 3.3 |
| 2019-07-30 | CVE-2019-14390 | Cross-site Scripting vulnerability in Cpanel cPanel before 82.0.2 has stored XSS in the WHM Modify Account interface (SEC-512). | 5.4 |
| 2019-07-30 | CVE-2019-14389 | Unspecified vulnerability in Cpanel cPanel before 82.0.2 allows local users to discover the MySQL root password (SEC-510). | 7.8 |
| 2019-07-30 | CVE-2019-14388 | Unspecified vulnerability in Cpanel cPanel before 82.0.2 allows unauthenticated file creation because Exim log parsing is mishandled (SEC-507). | 7.5 |
| 2019-07-30 | CVE-2019-14387 | Cross-site Scripting vulnerability in Cpanel cPanel before 82.0.2 has Self XSS in the cPanel and webmail master templates (SEC-506). | 6.1 |
| 2019-07-30 | CVE-2019-14386 | Cross-site Scripting vulnerability in Cpanel cPanel before 82.0.2 has stored XSS in the WHM Tomcat Manager interface (SEC-504). | 5.4 |
| 2018-08-30 | CVE-2018-16236 | Cross-site Scripting vulnerability in Cpanel cPanel through 74 allows XSS via a crafted filename in the logs subdirectory of a user account, because the filename is mishandled during frontend/THEME/raw/index.html rendering. | 6.1 |
| 2017-07-19 | CVE-2017-11441 | Cross-site Scripting vulnerability in Cpanel WHM The WHM Upload Locale interface in cPanel before 56.0.51, 58.x before 58.0.52, 60.x before 60.0.45, 62.x before 62.0.27, 64.x before 64.0.33, and 66.x before 66.0.2 has XSS via a locale filename, aka SEC-297. | 5.4 |
| 2017-03-03 | CVE-2017-5616 | Cross-site Scripting vulnerability in Cpanel Cgiecho and Cgiemail Cross-site scripting (XSS) vulnerability in cgiemail and cgiecho allows remote attackers to inject arbitrary web script or HTML via the addendum parameter. | 6.1 |
| 2017-03-03 | CVE-2017-5615 | Open Redirect vulnerability in Cpanel Cgiecho and Cgiemail cgiemail and cgiecho allow remote attackers to inject HTTP headers via a newline character in the redirect location. | 6.1 |