This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Cpanel First view 2007-06-22
Product Cpanel Last view 2023-04-27
Version 11.0 Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:cpanel:cpanel

Activity : Overall

Related : CVE

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
  Date Alert Description
6.1 2023-04-27 CVE-2023-29489

An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31.
5.5 2021-08-11 CVE-2021-38590

In cPanel before 96.0.8, weak permissions on web stats can lead to information disclosure (SEC-584).
8.1 2021-08-11 CVE-2021-38589

In cPanel before 96.0.13, scripts/fix-cpanel-perl does not properly restrict the overwriting of files (SEC-588).
8.1 2021-08-11 CVE-2021-38588

In cPanel before 96.0.13, fix_cpanel_perl lacks verification of the integrity of downloads (SEC-587).
7.5 2021-08-11 CVE-2021-38587

In cPanel before 96.0.13, scripts/fix-cpanel-perl mishandles the creation of temporary files (SEC-586).
4.4 2021-08-11 CVE-2021-38586

In cPanel before 98.0.1, /scripts/cpan_config performs unsafe operations on files (SEC-589).
7.2 2021-08-11 CVE-2021-38585

The WHM Locale Upload feature in cPanel before 98.0.1 allows unserialization attacks (SEC-585).
7.2 2021-08-11 CVE-2021-38584

The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585).
6.1 2021-04-26 CVE-2021-31803

cPanel before 94.0.3 allows self-XSS via EasyApache 4 Save Profile (SEC-581).
7.5 2021-01-26 CVE-2021-26267

cPanel before 92.0.9 allows a MySQL user (who has an old-style password hash) to bypass suspension (SEC-579).
7.5 2021-01-26 CVE-2021-26266

cPanel before 92.0.9 allows a Reseller to bypass the suspension lock (SEC-578).
6.1 2020-11-27 CVE-2020-29137

cPanel before 90.0.17 allows self-XSS via the WHM Transfer Tool interface (SEC-577).
6.5 2020-11-27 CVE-2020-29136

In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach (SEC-575).
4.1 2020-11-27 CVE-2020-29135

cPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567).
6.1 2020-09-25 CVE-2020-26115

cPanel before 90.0.10 allows self XSS via the Cron Editor interface (SEC-574).
6.1 2020-09-25 CVE-2020-26114

cPanel before 90.0.10 allows self XSS via the Cron Jobs interface (SEC-573).
6.1 2020-09-25 CVE-2020-26113

cPanel before 90.0.10 allows self XSS via WHM Manage API Tokens interfaces (SEC-569).
7.5 2020-09-25 CVE-2020-26112

The email quota cache in cPanel before 90.0.10 allows overwriting of files.
6.1 2020-09-25 CVE-2020-26111

cPanel before 90.0.10 allows self XSS via the WHM Edit DNS Zone interface (SEC-566).
6.1 2020-09-25 CVE-2020-26110

cPanel before 88.0.13 allows self XSS via DNS Zone Manager DNSSEC interfaces (SEC-564).
7.5 2020-09-25 CVE-2020-26109

cPanel before 88.0.13 allows bypass of a protection mechanism that attempted to restrict package modification (SEC-557).
9.8 2020-09-25 CVE-2020-26108

cPanel before 88.0.13 mishandles file-extension dispatching, leading to code execution (SEC-488).
7.5 2020-09-25 CVE-2020-26107

cPanel before 88.0.3, upon an upgrade, establishes predictable PowerDNS API keys (SEC-561).
7.5 2020-09-25 CVE-2020-26106

cPanel before 88.0.3 has weak permissions (world readable) for the proxy subdomains log file (SEC-558).
9.8 2020-09-25 CVE-2020-26105

In cPanel before 88.0.3, insecure chkservd test credentials are used on a templated VM (SEC-554).

CWE : Common Weakness Enumeration

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
%idName
26% (86) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
21% (71) CWE-20 Improper Input Validation
9% (30) CWE-200 Information Exposure
6% (21) CWE-284 Access Control (Authorization) Issues
3% (11) CWE-287 Improper Authentication
3% (10) CWE-732 Incorrect Permission Assignment for Critical Resource
3% (10) CWE-74 Failure to Sanitize Data into a Different Plane ('Injection')
2% (8) CWE-275 Permission Issues
2% (8) CWE-254 Security Features
2% (7) CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
1% (6) CWE-264 Permissions, Privileges, and Access Controls
1% (4) CWE-532 Information Leak Through Log Files
1% (4) CWE-285 Improper Access Control (Authorization)
1% (4) CWE-94 Failure to Control Generation of Code ('Code Injection')
1% (4) CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('...
1% (4) CWE-77 Improper Sanitization of Special Elements used in a Command ('Comma...
0% (3) CWE-434 Unrestricted Upload of File with Dangerous Type
0% (3) CWE-362 Race Condition
0% (3) CWE-358 Improperly Implemented Security Check for Standard
0% (3) CWE-255 Credentials Management
0% (3) CWE-134 Uncontrolled Format String
0% (2) CWE-668 Exposure of Resource to Wrong Sphere
0% (2) CWE-611 Information Leak Through XML External Entity File Disclosure
0% (2) CWE-330 Use of Insufficiently Random Values
0% (2) CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path ...

Open Source Vulnerability Database (OSVDB)

id Description
61231 cPanel frontend/x3/files/fileop.html fileop Parameter XSS
45816 cPanel scripts/wwwacct Email Address Field Arbitrary Shell Command Execution
35861 cPanel Simple CGI Wrapper Direct Request Path Disclosure
35860 cPanel Simple CGI Wrapper URI XSS

Nessus® Vulnerability Scanner

id Description
2017-03-27 Name: The remote Debian host is missing a security update.
File: debian_DLA-869.nasl - Type: ACT_GATHER_INFO