cPanel
By the Year
In 2023 there have been 1 vulnerability in cPanel with an average score of 6.1 out of ten. Cpanel did not have any published security vulnerabilities last year. That is, 1 more vulnerability have already been reported in 2023 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2023 | 1 | 6.10 |
| 2022 | 0 | 0.00 |
| 2021 | 10 | 6.91 |
| 2020 | 42 | 7.27 |
| 2019 | 125 | 5.51 |
| 2018 | 1 | 6.10 |
It may take a day or so for new Cpanel vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent cPanel Security Vulnerabilities
An issue was discovered in cPanel before 11.109.9999.116
CVE-2023-29489
6.1 - Medium
- April 27, 2023
An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31.
XSS
In cPanel before 96.0.8, weak permissions on web stats
CVE-2021-38590
5.5 - Medium
- August 11, 2021
In cPanel before 96.0.8, weak permissions on web stats can lead to information disclosure (SEC-584).
Incorrect Permission Assignment for Critical Resource
In cPanel before 96.0.13
CVE-2021-38589
8.1 - High
- August 11, 2021
In cPanel before 96.0.13, scripts/fix-cpanel-perl does not properly restrict the overwriting of files (SEC-588).
In cPanel before 96.0.13
CVE-2021-38588
8.1 - High
- August 11, 2021
In cPanel before 96.0.13, fix_cpanel_perl lacks verification of the integrity of downloads (SEC-587).
Download of Code Without Integrity Check
In cPanel before 96.0.13
CVE-2021-38587
7.5 - High
- August 11, 2021
In cPanel before 96.0.13, scripts/fix-cpanel-perl mishandles the creation of temporary files (SEC-586).
Race Condition
In cPanel before 98.0.1
CVE-2021-38586
4.4 - Medium
- August 11, 2021
In cPanel before 98.0.1, /scripts/cpan_config performs unsafe operations on files (SEC-589).
The WHM Locale Upload feature in cPanel before 98.0.1
CVE-2021-38585
7.2 - High
- August 11, 2021
The WHM Locale Upload feature in cPanel before 98.0.1 allows unserialization attacks (SEC-585).
Marshaling, Unmarshaling
The WHM Locale Upload feature in cPanel before 98.0.1
CVE-2021-38584
7.2 - High
- August 11, 2021
The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585).
XXE
cPanel before 94.0.3
CVE-2021-31803
6.1 - Medium
- April 26, 2021
cPanel before 94.0.3 allows self-XSS via EasyApache 4 Save Profile (SEC-581).
XSS
cPanel before 92.0.9
CVE-2021-26266
7.5 - High
- January 26, 2021
cPanel before 92.0.9 allows a Reseller to bypass the suspension lock (SEC-578).
cPanel before 92.0.9
CVE-2021-26267
7.5 - High
- January 26, 2021
cPanel before 92.0.9 allows a MySQL user (who has an old-style password hash) to bypass suspension (SEC-579).
cPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567).
CVE-2020-29135
4.1 - Medium
- November 27, 2020
cPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567).
Injection
In cPanel before 90.0.17, 2FA can be bypassed
CVE-2020-29136
6.5 - Medium
- November 27, 2020
In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach (SEC-575).
Improper Restriction of Excessive Authentication Attempts
cPanel before 90.0.17
CVE-2020-29137
6.1 - Medium
- November 27, 2020
cPanel before 90.0.17 allows self-XSS via the WHM Transfer Tool interface (SEC-577).
XSS
cPanel before 88.0.3 mishandles the Exim filter path
CVE-2020-26098
9.8 - Critical
- September 25, 2020
cPanel before 88.0.3 mishandles the Exim filter path, leading to remote code execution (SEC-485).
cPanel before 88.0.3
CVE-2020-26099
7.5 - High
- September 25, 2020
cPanel before 88.0.3 allows attackers to bypass the SMTP greylisting protection mechanism (SEC-491).
chsh in cPanel before 88.0.3
CVE-2020-26100
9.8 - Critical
- September 25, 2020
chsh in cPanel before 88.0.3 allows a Jailshell escape (SEC-497).
In cPanel before 88.0.3
CVE-2020-26101
9.8 - Critical
- September 25, 2020
In cPanel before 88.0.3, insecure RNDC credentials are used for BIND on a templated VM (SEC-549).
Insufficiently Protected Credentials
In cPanel before 88.0.3
CVE-2020-26102
7.5 - High
- September 25, 2020
In cPanel before 88.0.3, an insecure auth policy API key is used by Dovecot on a templated VM (SEC-550).
AuthZ
In cPanel before 88.0.3
CVE-2020-26103
7.5 - High
- September 25, 2020
In cPanel before 88.0.3, an insecure site password is used for Mailman on a templated VM (SEC-551).
Weak Password Requirements
In cPanel before 88.0.3
CVE-2020-26104
7.5 - High
- September 25, 2020
In cPanel before 88.0.3, an insecure SRS secret is used on a templated VM (SEC-552).
Insecure Storage of Sensitive Information
In cPanel before 88.0.3
CVE-2020-26105
9.8 - Critical
- September 25, 2020
In cPanel before 88.0.3, insecure chkservd test credentials are used on a templated VM (SEC-554).
Insufficiently Protected Credentials
cPanel before 88.0.3 has weak permissions (world readable) for the proxy subdomains log file (SEC-558).
CVE-2020-26106
7.5 - High
- September 25, 2020
cPanel before 88.0.3 has weak permissions (world readable) for the proxy subdomains log file (SEC-558).
Insertion of Sensitive Information into Log File
cPanel before 88.0.3
CVE-2020-26107
7.5 - High
- September 25, 2020
cPanel before 88.0.3, upon an upgrade, establishes predictable PowerDNS API keys (SEC-561).
Inadequate Encryption Strength
cPanel before 88.0.13 mishandles file-extension dispatching
CVE-2020-26108
9.8 - Critical
- September 25, 2020
cPanel before 88.0.13 mishandles file-extension dispatching, leading to code execution (SEC-488).
cPanel before 88.0.13 allows bypass of a protection mechanism
CVE-2020-26109
7.5 - High
- September 25, 2020
cPanel before 88.0.13 allows bypass of a protection mechanism that attempted to restrict package modification (SEC-557).
cPanel before 88.0.13
CVE-2020-26110
6.1 - Medium
- September 25, 2020
cPanel before 88.0.13 allows self XSS via DNS Zone Manager DNSSEC interfaces (SEC-564).
XSS
cPanel before 90.0.10
CVE-2020-26111
6.1 - Medium
- September 25, 2020
cPanel before 90.0.10 allows self XSS via the WHM Edit DNS Zone interface (SEC-566).
XSS
The email quota cache in cPanel before 90.0.10
CVE-2020-26112
7.5 - High
- September 25, 2020
The email quota cache in cPanel before 90.0.10 allows overwriting of files.
cPanel before 90.0.10
CVE-2020-26113
6.1 - Medium
- September 25, 2020
cPanel before 90.0.10 allows self XSS via WHM Manage API Tokens interfaces (SEC-569).
XSS
cPanel before 90.0.10
CVE-2020-26114
6.1 - Medium
- September 25, 2020
cPanel before 90.0.10 allows self XSS via the Cron Jobs interface (SEC-573).
XSS
cPanel before 90.0.10
CVE-2020-26115
6.1 - Medium
- September 25, 2020
cPanel before 90.0.10 allows self XSS via the Cron Editor interface (SEC-574).
XSS
cPanel before 86.0.14
CVE-2020-12784
5.3 - Medium
- May 11, 2020
cPanel before 86.0.14 allows remote attackers to trigger a bandwidth suspension via mail log strings (SEC-505).
Improper Input Validation
cPanel before 86.0.14
CVE-2020-12785
8.1 - High
- May 11, 2020
cPanel before 86.0.14 allows attackers to obtain access to the current working directory via the account backup feature (SEC-540).
AuthZ
cPanel before 82.0.18
CVE-2019-20490
8.8 - High
- March 17, 2020
cPanel before 82.0.18 allows authentication bypass because webmail usernames are processed inconsistently (SEC-499).
cPanel before 82.0.18
CVE-2019-20492
8.8 - High
- March 17, 2020
cPanel before 82.0.18 allows authentication bypass because of misparsing of the format of the password file (SEC-516).
cPanel before 82.0.18
CVE-2019-20493
6.1 - Medium
- March 17, 2020
cPanel before 82.0.18 allows self-XSS because JSON string escaping is mishandled (SEC-520).
XSS
In cPanel before 82.0.18, Cpanel::Rand::Get
CVE-2019-20494
3.3 - Low
- March 17, 2020
In cPanel before 82.0.18, Cpanel::Rand::Get can produce a predictable series of numbers (SEC-525).
Improper Input Validation
cPanel before 82.0.18
CVE-2019-20495
6.5 - Medium
- March 17, 2020
cPanel before 82.0.18 allows attackers to read an arbitrary database via MySQL dump streaming (SEC-531).
Information Disclosure
cPanel before 82.0.18
CVE-2019-20496
5.5 - Medium
- March 17, 2020
cPanel before 82.0.18 allows attackers to conduct arbitrary chown operations as root during log processing (SEC-532).
cPanel before 82.0.18
CVE-2019-20497
5.4 - Medium
- March 17, 2020
cPanel before 82.0.18 allows stored XSS via WHM Backup Restoration (SEC-533).
XSS
cPanel before 82.0.18
CVE-2019-20498
9.8 - Critical
- March 17, 2020
cPanel before 82.0.18 allows WebDAV authentication bypass because the connection-sharing logic is incorrect (SEC-534).
cPanel before 84.0.20
CVE-2020-10113
6.1 - Medium
- March 17, 2020
cPanel before 84.0.20 allows self XSS via a temporary character-set specification (SEC-515).
XSS
cPanel before 84.0.20
CVE-2020-10114
6.1 - Medium
- March 17, 2020
cPanel before 84.0.20 allows stored self-XSS via the HTML file editor (SEC-535).
XSS
cPanel before 84.0.20, when PowerDNS is used, allows arbitrary code execution as root via dnsadmin
CVE-2020-10115
7.2 - High
- March 17, 2020
cPanel before 84.0.20, when PowerDNS is used, allows arbitrary code execution as root via dnsadmin. (SEC-537).
Improper Input Validation
cPanel before 84.0.20
CVE-2020-10116
5.3 - Medium
- March 17, 2020
cPanel before 84.0.20 allows attackers to bypass intended restrictions on features and demo accounts via WebDisk UAPI calls (SEC-541).
AuthZ
cPanel before 84.0.20 mishandles enforcement of demo checks in the Market UAPI namespace (SEC-542).
CVE-2020-10117
9.1 - Critical
- March 17, 2020
cPanel before 84.0.20 mishandles enforcement of demo checks in the Market UAPI namespace (SEC-542).
AuthZ
cPanel before 84.0.20
CVE-2020-10118
9.1 - Critical
- March 17, 2020
cPanel before 84.0.20 allows a demo account to modify files via Branding API calls (SEC-543).
cPanel before 84.0.20
CVE-2020-10119
9.8 - Critical
- March 17, 2020
cPanel before 84.0.20 allows a demo account to achieve remote code execution via a cpsrvd rsync shell (SEC-544).
cPanel before 84.0.20
CVE-2020-10120
7.2 - High
- March 17, 2020
cPanel before 84.0.20 allows resellers to achieve remote code execution as root via a cpsrvd rsync shell (SEC-545).
AuthZ
cPanel before 84.0.20
CVE-2020-10121
9.8 - Critical
- March 17, 2020
cPanel before 84.0.20 allows a demo account to achieve code execution via PassengerApps APIs (SEC-546).
cPanel before 84.0.20
CVE-2020-10122
6.5 - Medium
- March 17, 2020
cPanel before 84.0.20 allows a webmail or demo account to delete arbitrary files (SEC-547).
Improper Input Validation
cPanel before 82.0.18
CVE-2019-20491
5.4 - Medium
- March 16, 2020
cPanel before 82.0.18 allows attackers to leverage virtual mail accounts in order to bypass account suspensions (SEC-508).
cPanel before 82.0.15
CVE-2019-17375
8.8 - High
- October 09, 2019
cPanel before 82.0.15 allows API token credentials to persist after an account has been renamed or terminated (SEC-517).
Insufficient Session Expiration
cPanel before 82.0.15
CVE-2019-17376
6.1 - Medium
- October 09, 2019
cPanel before 82.0.15 allows self XSS in the SSL Certificate Upload interface (SEC-521).
XSS
cPanel before 82.0.15
CVE-2019-17377
6.1 - Medium
- October 09, 2019
cPanel before 82.0.15 allows self XSS in LiveAPI example scripts (SEC-524).
XSS
cPanel before 82.0.15
CVE-2019-17378
6.1 - Medium
- October 09, 2019
cPanel before 82.0.15 allows self XSS in the SSL Key Delete interface (SEC-526).
XSS
cPanel before 82.0.15
CVE-2019-17379
6.1 - Medium
- October 09, 2019
cPanel before 82.0.15 allows self stored XSS in the WHM SSL Storage Manager interface (SEC-527).
XSS
cPanel before 82.0.15
CVE-2019-17380
6.1 - Medium
- October 09, 2019
cPanel before 82.0.15 allows self XSS in the WHM Update Preferences interface (SEC-528).
XSS
cPanel before 68.0.27
CVE-2018-20936
3.3 - Low
- August 01, 2019
cPanel before 68.0.27 allows attackers to read the SRS secret via exim.conf (SEC-308).
Incorrect Permission Assignment for Critical Resource
cPanel before 68.0.27 does not validate database and dbuser names during renames (SEC-321).
CVE-2018-20937
4.3 - Medium
- August 01, 2019
cPanel before 68.0.27 does not validate database and dbuser names during renames (SEC-321).
authentification
cPanel before 68.0.27 does not enforce ownership during addpkgext and delpkgext WHM API calls (SEC-324).
CVE-2018-20938
2.7 - Low
- August 01, 2019
cPanel before 68.0.27 does not enforce ownership during addpkgext and delpkgext WHM API calls (SEC-324).
Authorization
cPanel before 68.0.27 allows a user to discover contents of directories (
CVE-2018-20939
3.3 - Low
- August 01, 2019
cPanel before 68.0.27 allows a user to discover contents of directories (that are not owned by that user) by leveraging backups (SEC-339).
Information Disclosure
cPanel before 68.0.27
CVE-2018-20940
3.3 - Low
- August 01, 2019
cPanel before 68.0.27 allows attackers to read root's crontab file during a short time interval upon the enabling of backups (SEC-342).
Race Condition
cPanel before 68.0.27
CVE-2018-20941
5.6 - Medium
- August 01, 2019
cPanel before 68.0.27 allows arbitrary file-read operations via restore adminbin (SEC-349).
Information Disclosure
cPanel before 68.0.27
CVE-2018-20942
2.5 - Low
- August 01, 2019
cPanel before 68.0.27 allows attackers to read root's crontab file during a short time interval upon configuring crontab (SEC-351).
Information Disclosure
cPanel before 68.0.27
CVE-2018-20943
2.5 - Low
- August 01, 2019
cPanel before 68.0.27 allows attackers to read root's crontab file during a short time interval upon a post-update task (SEC-352).
Information Disclosure
cPanel before 68.0.27 allows attackers to read a copy of httpd.conf
CVE-2018-20944
3.3 - Low
- August 01, 2019
cPanel before 68.0.27 allows attackers to read a copy of httpd.conf that is created during a syntax test (SEC-353).
Information Disclosure
bin/csvprocess in cPanel before 68.0.27
CVE-2018-20945
5.7 - Medium
- August 01, 2019
bin/csvprocess in cPanel before 68.0.27 allows insecure file operations (SEC-354).
AuthZ
cPanel before 68.0.27
CVE-2018-20946
3.3 - Low
- August 01, 2019
cPanel before 68.0.27 allows attackers to read zone information because a world-readable archive is created by the archive_sync_zones script (SEC-355).
Information Disclosure
cPanel before 68.0.27
CVE-2018-20947
5.5 - Medium
- August 01, 2019
cPanel before 68.0.27 allows certain file-write operations via the telnetcrt script (SEC-356).
Exposure of Resource to Wrong Sphere
cPanel before 68.0.27
CVE-2018-20948
6.1 - Medium
- August 01, 2019
cPanel before 68.0.27 allows self XSS in cPanel Backup Restoration (SEC-383).
XSS
cPanel before 68.0.27
CVE-2018-20949
6.1 - Medium
- August 01, 2019
cPanel before 68.0.27 allows self XSS in WHM Apache Configuration Include Editor (SEC-385).
XSS
cPanel before 68.0.27
CVE-2018-20950
6.1 - Medium
- August 01, 2019
cPanel before 68.0.27 allows self stored XSS in WHM Account Transfer (SEC-386).
XSS
cPanel before 68.0.27
CVE-2018-20951
6.1 - Medium
- August 01, 2019
cPanel before 68.0.27 allows self XSS in WHM Spamd Startup Config (SEC-387).
XSS
cPanel before 68.0.27 creates world-readable files during use of WHM Apache Includes Editor (SEC-388).
CVE-2018-20952
6.5 - Medium
- August 01, 2019
cPanel before 68.0.27 creates world-readable files during use of WHM Apache Includes Editor (SEC-388).
Information Disclosure
cPanel before 68.0.27
CVE-2018-20953
6.1 - Medium
- August 01, 2019
cPanel before 68.0.27 allows self XSS in the WHM listips interface (SEC-389).
XSS
cPanel before 70.0.23
CVE-2018-20924
5.5 - Medium
- August 01, 2019
cPanel before 70.0.23 allows arbitrary file-read and file-unlink operations via WHM style uploads (SEC-378).
authentification
cPanel before 70.0.23
CVE-2018-20925
6.7 - Medium
- August 01, 2019
cPanel before 70.0.23 allows local privilege escalation via the WHM Legacy Language File Upload interface (SEC-379).
Unrestricted File Upload
cPanel before 70.0.23
CVE-2018-20926
6.7 - Medium
- August 01, 2019
cPanel before 70.0.23 allows local privilege escalation via the WHM Locale XML Upload interface (SEC-380).
Unrestricted File Upload
cPanel before 70.0.23
CVE-2018-20927
3.8 - Low
- August 01, 2019
cPanel before 70.0.23 allows jailshell escape because of incorrect crontab parsing (SEC-382).
AuthZ
cPanel before 70.0.23
CVE-2018-20928
6.1 - Medium
- August 01, 2019
cPanel before 70.0.23 allows stored XSS via the cpaddons vendor interface (SEC-391).
XSS
cPanel before 70.0.23
CVE-2018-20929
6.1 - Medium
- August 01, 2019
cPanel before 70.0.23 allows an open redirect via the /unprotected/redirect.html endpoint (SEC-392).
Open Redirect
cPanel before 70.0.23
CVE-2018-20930
6.5 - Medium
- August 01, 2019
cPanel before 70.0.23 allows .htaccess restrictions bypass when Htaccess Optimization is enabled (SEC-401).
Authorization
cPanel before 70.0.23
CVE-2018-20931
6.3 - Medium
- August 01, 2019
cPanel before 70.0.23 allows demo accounts to execute code via the Landing Page (SEC-405).
Code Injection
cPanel before 70.0.23 exposes Apache HTTP Server logs after creation of certain domains (SEC-406).
CVE-2018-20932
2.7 - Low
- August 01, 2019
cPanel before 70.0.23 exposes Apache HTTP Server logs after creation of certain domains (SEC-406).
Insertion of Sensitive Information into Externally-Accessible File or Directory
cPanel before 70.0.23 has Stored XSS
CVE-2018-20933
5.4 - Medium
- August 01, 2019
cPanel before 70.0.23 has Stored XSS via an WHM Edit DNS Zone action (SEC-410).
XSS
cPanel before 70.0.23 does not prevent e-mail account suspensions
CVE-2018-20934
6.5 - Medium
- August 01, 2019
cPanel before 70.0.23 does not prevent e-mail account suspensions from being applied to unowned accounts (SEC-411).
Improperly Implemented Security Check for Standard
cPanel before 70.0.23
CVE-2018-20935
5.4 - Medium
- August 01, 2019
cPanel before 70.0.23 allows stored XSS in via a WHM "Reset a DNS Zone" action (SEC-412).
XSS
cPanel before 71.9980.37
CVE-2018-20901
6.1 - Medium
- August 01, 2019
cPanel before 71.9980.37 allows Remote-Stored XSS in WHM Save Theme Interface (SEC-400).
XSS
cPanel before 71.9980.37
CVE-2018-20902
5.5 - Medium
- August 01, 2019
cPanel before 71.9980.37 allows attackers to read root's crontab file by leveraging ClamAV installation (SEC-408).
Information Disclosure
cPanel before 71.9980.37
CVE-2018-20903
6.1 - Medium
- August 01, 2019
cPanel before 71.9980.37 allows self XSS in the WHM Backup Configuration interface (SEC-421).
XSS
cPanel before 71.9980.37 allows attackers to make API calls
CVE-2018-20904
4.3 - Medium
- August 01, 2019
cPanel before 71.9980.37 allows attackers to make API calls that bypass the cron feature restriction (SEC-427).
Incorrect Permission Assignment for Critical Resource
cPanel before 71.9980.37 allows attackers to make API calls
CVE-2018-20905
5.4 - Medium
- August 01, 2019
cPanel before 71.9980.37 allows attackers to make API calls that bypass the backup feature restriction (SEC-429).
Incorrect Permission Assignment for Critical Resource
cPanel before 71.9980.37 allows attackers to make API calls
CVE-2018-20906
4.3 - Medium
- August 01, 2019
cPanel before 71.9980.37 allows attackers to make API calls that bypass the images feature restriction (SEC-430).
Incorrect Permission Assignment for Critical Resource
cPanel before 71.9980.37 does not enforce the Mime::list_hotlinks API feature restriction (SEC-432).
CVE-2018-20907
4.3 - Medium
- August 01, 2019
cPanel before 71.9980.37 does not enforce the Mime::list_hotlinks API feature restriction (SEC-432).
Incorrect Permission Assignment for Critical Resource
cPanel before 71.9980.37
CVE-2018-20908
5.5 - Medium
- August 01, 2019
cPanel before 71.9980.37 allows arbitrary file-read operations during pkgacct custom template handling (SEC-435).
Incorrect Permission Assignment for Critical Resource
cPanel before 70.0.23
CVE-2018-20909
7.1 - High
- August 01, 2019
cPanel before 70.0.23 allows arbitrary file-chmod operations during legacy incremental backups (SEC-338).
Incorrect Permission Assignment for Critical Resource
cPanel before 70.0.23
CVE-2018-20910
6.1 - Medium
- August 01, 2019
cPanel before 70.0.23 allows self XSS in the WHM cPAddons showsecurity Interface (SEC-357).
XSS
cPanel before 70.0.23 allows code execution because "
CVE-2018-20911
7.2 - High
- August 01, 2019
cPanel before 70.0.23 allows code execution because "." is in @INC during a Perl syntax check of cpaddonsup (SEC-359).
XSS
