National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): cpanel
  • Search Type: Search All
  • Contains Software Flaws (CVE)
There are 65 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2018-16236

cPanel through 74 allows XSS via a crafted filename in the logs subdirectory of a user account, because the filename is mishandled during frontend/THEME/raw/index.html rendering.

Published: August 30, 2018; 06:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2018-7735

Afian FileRun (before 2018.02.13) suffers from a remote SQL injection vulnerability, when logged in as superuser, via the search parameter in a /?module=metadata&section=cpanel&page=list_filetypes request.

Published: March 06, 2018; 02:29:00 PM -05:00
V3: 7.2 HIGH
V2: 6.5 MEDIUM
CVE-2018-7734

Afian FileRun (before 2018.02.13) suffers from a remote SQL injection vulnerability, when logged in as superuser, via the search parameter in a /?module=users&section=cpanel&page=list request.

Published: March 06, 2018; 02:29:00 PM -05:00
V3: 7.2 HIGH
V2: 6.5 MEDIUM
CVE-2017-11441

The WHM Upload Locale interface in cPanel before 56.0.51, 58.x before 58.0.52, 60.x before 60.0.45, 62.x before 62.0.27, 64.x before 64.0.33, and 66.x before 66.0.2 has XSS via a locale filename, aka SEC-297.

Published: July 19, 2017; 03:29:00 AM -04:00
V3: 5.4 MEDIUM
V2: 3.5 LOW
CVE-2017-5616

Cross-site scripting (XSS) vulnerability in cgiemail and cgiecho allows remote attackers to inject arbitrary web script or HTML via the addendum parameter.

Published: March 03, 2017; 10:59:01 AM -05:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2017-5615

cgiemail and cgiecho allow remote attackers to inject HTTP headers via a newline character in the redirect location.

Published: March 03, 2017; 10:59:00 AM -05:00
V3: 6.1 MEDIUM
V2: 5.8 MEDIUM
CVE-2017-5614

Open redirect vulnerability in cgiemail and cgiecho allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the (1) success or (2) failure parameter.

Published: March 03, 2017; 10:59:00 AM -05:00
V3: 6.1 MEDIUM
V2: 5.8 MEDIUM
CVE-2017-5613

Format string vulnerability in cgiemail and cgiecho allows remote attackers to execute arbitrary code via format string specifiers in a template file.

Published: March 03, 2017; 10:59:00 AM -05:00
V3: 7.8 HIGH
V2: 6.8 MEDIUM
CVE-2015-2845

The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3-1421902800 allows remote attackers to execute arbitrary commands via the $type portion of the PATH_INFO.

Published: May 12, 2015; 03:59:20 PM -04:00
V2: 10.0 HIGH
CVE-2015-2844

The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3-1420434000 allows remote attackers to execute arbitrary commands via the $action portion of the PATH_INFO.

Published: May 12, 2015; 03:59:19 PM -04:00
V2: 10.0 HIGH
CVE-2013-6171

checkpassword-reply in Dovecot before 2.2.7 performs setuid operations to a user who is authenticating, which allows local users to bypass authentication and access virtual email accounts by attaching to the process and using a restricted file descriptor to modify account information in the response to the dovecot-auth server.

Published: December 09, 2013; 11:36:47 AM -05:00
V2: 5.8 MEDIUM
CVE-2010-4345

Exim 4.72 and earlier allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands, as demonstrated by the spool_directory directive.

Published: December 14, 2010; 11:00:04 AM -05:00
V2: 6.9 MEDIUM
CVE-2010-4344

Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session that includes two MAIL commands in conjunction with a large message containing crafted headers, leading to improper rejection logging.

Published: December 14, 2010; 11:00:04 AM -05:00
V2: 9.3 HIGH
CVE-2009-4823

Cross-site scripting (XSS) vulnerability in frontend/x3/files/fileop.html in cPanel 11.0 through 11.24.7 allows remote attackers to inject arbitrary web script or HTML via the fileop parameter.

Published: April 27, 2010; 11:30:00 AM -04:00
V2: 4.3 MEDIUM
CVE-2009-3316

SQL injection vulnerability in the JReservation (com_jreservation) component 1.0 and 1.5 for Joomla! allows remote attackers to execute arbitrary SQL commands via the pid parameter in a propertycpanel action to index.php.

Published: September 23, 2009; 08:08:35 AM -04:00
V2: 7.5 HIGH
CVE-2008-7142

Absolute path traversal vulnerability in the Disk Usage module (frontend/x/diskusage/index.html) in cPanel 11.18.3 allows remote attackers to list arbitrary directories via the showtree parameter.

Published: September 01, 2009; 12:30:00 PM -04:00
V2: 5.0 MEDIUM
CVE-2008-6927

Multiple cross-site scripting (XSS) vulnerabilities in autoinstall4imagesgalleryupgrade.php in the Fantastico De Luxe Module for cPanel allow remote attackers to inject arbitrary web script or HTML via the (1) localapp, (2) updatedir, (3) scriptpath_show, (4) domain_show, (5) thispage, (6) thisapp, and (7) currentversion parameters in an Upgrade action.

Published: August 10, 2009; 04:30:00 PM -04:00
V2: 4.3 MEDIUM
CVE-2008-6926

Directory traversal vulnerability in autoinstall4imagesgalleryupgrade.php in the Fantastico De Luxe Module for cPanel allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the scriptpath_show parameter in a GoAhead action. NOTE: this issue only crosses privilege boundaries when security settings such as disable_functions and safe_mode are active, since exploitation requires uploading of executable code to a home directory.

Published: August 10, 2009; 04:30:00 PM -04:00
V2: 6.8 MEDIUM
CVE-2008-6843

Directory traversal vulnerability in index.php in Fantastico, as used with cPanel 11.x, allows remote attackers to read arbitrary files via a .. (dot dot) in the sup3r parameter.

Published: July 02, 2009; 06:30:00 AM -04:00
V2: 5.0 MEDIUM
CVE-2009-2275

Directory traversal vulnerability in frontend/x3/stats/lastvisit.html in cPanel allows remote attackers to read arbitrary files via a .. (dot dot) in the domain parameter.

Published: July 01, 2009; 09:00:01 AM -04:00
V2: 5.0 MEDIUM