Vulnerabilities > Cpanel > High

DATE CVE VULNERABILITY TITLE RISK
2019-08-01 CVE-2016-10837 Untrusted Search Path vulnerability in Cpanel
cPanel before 11.54.0.4 allows arbitrary code execution because of an unsafe @INC path (SEC-46).
network
cpanel CWE-426
8.5
2019-08-01 CVE-2018-20887 SQL Injection vulnerability in Cpanel
cPanel before 74.0.0 allows SQL injection during database backups (SEC-420).
network
low complexity
cpanel CWE-89
7.5
2019-07-30 CVE-2019-14400 Unspecified vulnerability in Cpanel
cPanel before 78.0.18 allows local users to escalate to root access because of userdata cache misparsing (SEC-479).
local
low complexity
cpanel
7.2
2019-07-30 CVE-2018-20869 Improper Input Validation vulnerability in Cpanel
cPanel before 76.0.8 allows arbitrary code execution in the context of the root account via dnssec adminbin (SEC-465).
local
low complexity
cpanel CWE-20
7.2
2019-07-30 CVE-2018-20863 Improper Input Validation vulnerability in Cpanel
cPanel before 76.0.8 allows remote attackers to execute arbitrary code via mailing-list attachments (SEC-452).
network
low complexity
cpanel CWE-20
7.5
2007-06-22 CVE-2007-3367 Path Disclosure And Cross-Site Scripting vulnerability in CPanel SCGIwrap
Simple CGI Wrapper (scgiwrap) in cPanel before 10.9.1, and 11.x before 11.4.19-R14378, allows remote attackers to obtain sensitive information via a direct request, which reveals the path in an error message.
network
low complexity
cpanel
7.8
2007-02-08 CVE-2007-0854 Code Injection vulnerability in Cpanel Webhost Manager
Remote file inclusion vulnerability in scripts2/objcache in cPanel WebHost Manager (WHM) allows remote attackers to execute arbitrary code via a URL in the obj parameter.
network
low complexity
cpanel CWE-94
7.5
2004-08-18 CVE-2004-0490 Local Privilege Escalation vulnerability in cPanel
cPanel, when compiling Apache 1.3.29 and PHP with the mod_phpsuexec option, does not set the --enable-discard-path option, which causes php to use the SCRIPT_FILENAME variable to find and execute a script instead of the PATH_TRANSLATED variable, which allows local users to execute arbitrary PHP code as other users via a URL that references the attacker's script after the user's script, which executes the attacker's script with the user's privileges, a different vulnerability than CVE-2004-0529.
local
low complexity
cpanel
7.2