This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Cpanel First view 2003-08-18
Product Cpanel Last view 2023-04-27
Version Type Application
Update  
Edition  
Language  
Sofware Edition  
Target Software  
Target Hardware  
Other  

Activity : Overall

COMMON PLATFORM ENUMERATION: Repartition per Version

CPE Name Affected CVE
cpe:2.3:a:cpanel:cpanel:5.0:*:*:*:*:*:*:* 390
cpe:2.3:a:cpanel:cpanel:6.4.2:*:*:*:*:*:*:* 388
cpe:2.3:a:cpanel:cpanel:6.4.1:*:*:*:*:*:*:* 388
cpe:2.3:a:cpanel:cpanel:6.4:*:*:*:*:*:*:* 388
cpe:2.3:a:cpanel:cpanel:6.2:*:*:*:*:*:*:* 388
cpe:2.3:a:cpanel:cpanel:6.4.2_stable_48:*:*:*:*:*:*:* 388
cpe:2.3:a:cpanel:cpanel:5.3:*:*:*:*:*:*:* 388
cpe:2.3:a:cpanel:cpanel:6.0:*:*:*:*:*:*:* 388
cpe:2.3:a:cpanel:cpanel:9.1:*:*:*:*:*:*:* 388
cpe:2.3:a:cpanel:cpanel:8.0:*:*:*:*:*:*:* 387
cpe:2.3:a:cpanel:cpanel:7.0:*:*:*:*:*:*:* 387
cpe:2.3:a:cpanel:cpanel:9.0:*:*:*:*:*:*:* 387
cpe:2.3:a:cpanel:cpanel:11.18.3:*:*:*:*:*:*:* 384
cpe:2.3:a:cpanel:cpanel:10:*:*:*:*:*:*:* 384
cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:* 384
cpe:2.3:a:cpanel:cpanel:9.1.0_r85:*:*:*:*:*:*:* 383
cpe:2.3:a:cpanel:cpanel:9.9.1_r3:*:*:*:*:*:*:* 382
cpe:2.3:a:cpanel:cpanel:10.2.0_r82:*:*:*:*:*:*:* 382
cpe:2.3:a:cpanel:cpanel:10.6.0_r137:*:*:*:*:*:*:* 382
cpe:2.3:a:cpanel:cpanel:9.4.1:*:*:*:*:*:*:* 381
cpe:2.3:a:cpanel:cpanel:9.4.1_r64:*:*:*:*:*:*:* 381
cpe:2.3:a:cpanel:cpanel:-:*:*:*:*:*:*:* 381
cpe:2.3:a:cpanel:cpanel:10.8.1_113:*:*:*:*:*:*:* 381
cpe:2.3:a:cpanel:cpanel:11.18:*:*:*:*:*:*:* 381
cpe:2.3:a:cpanel:cpanel:11.22.2:*:*:*:*:*:*:* 381
cpe:2.3:a:cpanel:cpanel:11.22:*:*:*:*:*:*:* 381
cpe:2.3:a:cpanel:cpanel:11.18.2:*:*:*:*:*:*:* 381
cpe:2.3:a:cpanel:cpanel:11.4.19:*:*:*:*:*:*:* 381
cpe:2.3:a:cpanel:cpanel:11:*:*:*:*:*:*:* 381
cpe:2.3:a:cpanel:cpanel:11.18.1:*:*:*:*:*:*:* 381
cpe:2.3:a:cpanel:cpanel:11.22.1:*:*:*:*:*:*:* 381
cpe:2.3:a:cpanel:cpanel:11.19.3:*:*:*:*:*:*:* 380
cpe:2.3:a:cpanel:cpanel:11.0:*:*:*:*:*:*:* 380
cpe:2.3:a:cpanel:cpanel:10.9.1:*:*:*:*:*:*:* 380
cpe:2.3:a:cpanel:cpanel:10.9.0_r50:*:*:*:*:*:*:* 380
cpe:2.3:a:cpanel:cpanel:11.16:*:*:*:*:*:*:* 380
cpe:2.3:a:cpanel:cpanel:11.21:beta:*:*:*:*:*:* 380
cpe:2.3:a:cpanel:cpanel:10.8.2_118:*:*:*:*:*:*:* 380
cpe:2.3:a:cpanel:cpanel:11.18.4:*:*:*:*:*:*:* 379
cpe:2.3:a:cpanel:cpanel:11.21:*:*:*:*:*:*:* 379
cpe:2.3:a:cpanel:cpanel:11.22.3:*:*:*:*:*:*:* 379
cpe:2.3:a:cpanel:cpanel:11.23.1:current:*:*:*:*:*:* 378
cpe:2.3:a:cpanel:cpanel:11.8.6:stable:*:*:*:*:*:* 378
cpe:2.3:a:cpanel:cpanel:11.23.1_current:*:*:*:*:*:*:* 378
cpe:2.3:a:cpanel:cpanel:11.8.6_stable:*:*:*:*:*:*:* 378
cpe:2.3:a:cpanel:cpanel:11.24:*:*:*:*:*:*:* 377
cpe:2.3:a:cpanel:cpanel:11.24.7:*:*:*:*:*:*:* 377
cpe:2.3:a:cpanel:cpanel:11.34.0:*:*:*:*:*:*:* 377

Related : CVE

This CPE Product have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
  Date Alert Description
6.1 2023-04-27 CVE-2023-29489

An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31.

5.5 2021-08-11 CVE-2021-38590

In cPanel before 96.0.8, weak permissions on web stats can lead to information disclosure (SEC-584).

8.1 2021-08-11 CVE-2021-38589

In cPanel before 96.0.13, scripts/fix-cpanel-perl does not properly restrict the overwriting of files (SEC-588).

8.1 2021-08-11 CVE-2021-38588

In cPanel before 96.0.13, fix_cpanel_perl lacks verification of the integrity of downloads (SEC-587).

7.5 2021-08-11 CVE-2021-38587

In cPanel before 96.0.13, scripts/fix-cpanel-perl mishandles the creation of temporary files (SEC-586).

4.4 2021-08-11 CVE-2021-38586

In cPanel before 98.0.1, /scripts/cpan_config performs unsafe operations on files (SEC-589).

7.2 2021-08-11 CVE-2021-38585

The WHM Locale Upload feature in cPanel before 98.0.1 allows unserialization attacks (SEC-585).

7.2 2021-08-11 CVE-2021-38584

The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585).

6.1 2021-04-26 CVE-2021-31803

cPanel before 94.0.3 allows self-XSS via EasyApache 4 Save Profile (SEC-581).

7.5 2021-01-26 CVE-2021-26267

cPanel before 92.0.9 allows a MySQL user (who has an old-style password hash) to bypass suspension (SEC-579).

7.5 2021-01-26 CVE-2021-26266

cPanel before 92.0.9 allows a Reseller to bypass the suspension lock (SEC-578).

6.1 2020-11-27 CVE-2020-29137

cPanel before 90.0.17 allows self-XSS via the WHM Transfer Tool interface (SEC-577).

6.5 2020-11-27 CVE-2020-29136

In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach (SEC-575).

4.1 2020-11-27 CVE-2020-29135

cPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567).

6.1 2020-09-25 CVE-2020-26115

cPanel before 90.0.10 allows self XSS via the Cron Editor interface (SEC-574).

6.1 2020-09-25 CVE-2020-26114

cPanel before 90.0.10 allows self XSS via the Cron Jobs interface (SEC-573).

6.1 2020-09-25 CVE-2020-26113

cPanel before 90.0.10 allows self XSS via WHM Manage API Tokens interfaces (SEC-569).

7.5 2020-09-25 CVE-2020-26112

The email quota cache in cPanel before 90.0.10 allows overwriting of files.

6.1 2020-09-25 CVE-2020-26111

cPanel before 90.0.10 allows self XSS via the WHM Edit DNS Zone interface (SEC-566).

6.1 2020-09-25 CVE-2020-26110

cPanel before 88.0.13 allows self XSS via DNS Zone Manager DNSSEC interfaces (SEC-564).

7.5 2020-09-25 CVE-2020-26109

cPanel before 88.0.13 allows bypass of a protection mechanism that attempted to restrict package modification (SEC-557).

9.8 2020-09-25 CVE-2020-26108

cPanel before 88.0.13 mishandles file-extension dispatching, leading to code execution (SEC-488).

7.5 2020-09-25 CVE-2020-26107

cPanel before 88.0.3, upon an upgrade, establishes predictable PowerDNS API keys (SEC-561).

7.5 2020-09-25 CVE-2020-26106

cPanel before 88.0.3 has weak permissions (world readable) for the proxy subdomains log file (SEC-558).

9.8 2020-09-25 CVE-2020-26105

In cPanel before 88.0.3, insecure chkservd test credentials are used on a templated VM (SEC-554).

CWE : Common Weakness Enumeration

This CPE Product have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
%idName
27% (93) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
21% (72) CWE-20 Improper Input Validation
8% (30) CWE-200 Information Exposure
6% (21) CWE-284 Access Control (Authorization) Issues
3% (11) CWE-287 Improper Authentication
2% (10) CWE-732 Incorrect Permission Assignment for Critical Resource
2% (10) CWE-74 Failure to Sanitize Data into a Different Plane ('Injection')
2% (8) CWE-275 Permission Issues
2% (8) CWE-254 Security Features
2% (7) CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
1% (6) CWE-264 Permissions, Privileges, and Access Controls
1% (5) CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path ...
1% (4) CWE-532 Information Leak Through Log Files
1% (4) CWE-285 Improper Access Control (Authorization)
1% (4) CWE-94 Failure to Control Generation of Code ('Code Injection')
1% (4) CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('...
1% (4) CWE-77 Improper Sanitization of Special Elements used in a Command ('Comma...
0% (3) CWE-434 Unrestricted Upload of File with Dangerous Type
0% (3) CWE-362 Race Condition
0% (3) CWE-358 Improperly Implemented Security Check for Standard
0% (3) CWE-255 Credentials Management
0% (3) CWE-134 Uncontrolled Format String
0% (2) CWE-668 Exposure of Resource to Wrong Sphere
0% (2) CWE-611 Information Leak Through XML External Entity File Disclosure
0% (2) CWE-352 Cross-Site Request Forgery (CSRF)

CAPEC : Common Attack Pattern Enumeration & Classification

id Name
CAPEC-245 Cross-Site Scripting Using Doubled Characters, e.g. %3C%3Cscript

Open Source Vulnerability Database (OSVDB)

This CPE Product have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
61231 cPanel frontend/x3/files/fileop.html fileop Parameter XSS
60429 Openwebmail Crafted SCRIPT_FILENAME Environment Variable Local Privilege Esca...
55545 Fantastico for cPanel index.php sup3r Parameter Traversal Arbitrary File Access
55515 cPanel frontend/x3/stats/lastvisit.html domain Parameter Traversal Arbitrary ...
51582 cPanel Disk Usage Module frontend/x/diskusage/index.html showtree Parameter T...
49518 Fantastico De Luxe Module for cPanel autoinstall4imagesgalleryupgrade.php Mul...
45816 cPanel scripts/wwwacct Email Address Field Arbitrary Shell Command Execution
45068 WHM Interface for cPanel cpanel/whm/webmail CSRF
45067 WHM Interface for cPanel scripts2/listaccts search Parameter XSS
45066 WHM Interface for cPanel scripts2/changeip user Parameter XSS
45065 WHM Interface for cPanel scripts2/knowlegebase issue Parameter XSS
44848 cPanel frontend/x2/ftp/doaddftp.html command1 Parameter CSRF
44847 cPanel frontend/x2/sql/adduser.html command1 Parameter CSRF
44846 cPanel frontend/x2/sql/adddb.html command1 Parameter CSRF
44845 cPanel frontend/x2/cron/editcronsimple.html command1 Parameter CSRF
43854 cPanel frontend/x/manpage.html Query String XSS
40512 cPanel dohtaccess.html rurl Parameter XSS
36468 cPanel frontend/x/htaccess/changepro.html resname Parameter XSS
35861 cPanel Simple CGI Wrapper Direct Request Path Disclosure
35860 cPanel Simple CGI Wrapper URI XSS
32042 cPanel BoxTrapper /mail/manage.html account Parameter XSS
31835 cPanel PHP OpenBaseDir Configuration Local Access Restriction Bypass
30387 cPanel newuser.html Multiple Parameter XSS
30386 cPanel seldir.html dir Parameter XSS
30048 cPanel editzonetemplate template Parameter XSS

Snort® IPS/IDS

Date Description
2014-11-16 cPanel 9.01 multiple URI parameters cross site scripting attempt
RuleID : 31912 - Type : SERVER-WEBAPP - Revision : 3
2014-01-10 cPanel resetpass access
RuleID : 2569-community - Type : SERVER-WEBAPP - Revision : 10
2014-01-10 cPanel resetpass access
RuleID : 2569 - Type : SERVER-WEBAPP - Revision : 10

Nessus® Vulnerability Scanner

id Description
2017-03-27 Name: The remote Debian host is missing a security update.
File: debian_DLA-869.nasl - Type: ACT_GATHER_INFO
2005-06-21 Name: The remote web server contains a script that is prone to a cross-site scripti...
File: cpanel_login_user_xss.nasl - Type: ACT_ATTACK
2004-03-14 Name: The remote web server contains an application that is affected by multiple is...
File: cpanel_login_cmd_exec.nasl - Type: ACT_ATTACK
2003-02-28 Name: A web application on the remote host has a command execution vulnerability.
File: cpanel_cmd_exec.nasl - Type: ACT_ATTACK