In cPanel before 67.9999.103, a user account's backup archive could contain all MySQL databases on the server (SEC-284).

In cPanel before 67.9999.103, the backup interface could return a backup archive with all MySQL databases (SEC-283).

cPanel before 67.9999.103 allows stored XSS in WHM MySQL Password Change interfaces (SEC-282).

In cPanel before 57.9999.54, user log files become world-readable when rotated by cpanellogd (SEC-125).

cPanel before 57.9999.54 incorrectly sets log-file permissions in dnsadmin-startup and spamd-startup (SEC-124).

cPanel before 57.9999.54 allows SQL Injection via the ModSecurity TailWatch log file (SEC-123).

cPanel before 57.9999.54 allows Webmail accounts to execute arbitrary code through forwarders (SEC-121).

cPanel before 57.9999.54 allows arbitrary file-read operations for Webmail accounts via Branding APIs (SEC-120).

cPanel before 57.9999.54 allows demo-mode escape via show_template.stor (SEC-119).

cPanel before 57.9999.54 allows self XSS during ftp account creation under addon domains (SEC-118).

cPanel before 70.0.23 allows stored XSS via a WHM Synchronize DNS Records action (SEC-377).

cPanel before 70.0.23 allows stored XSS via a WHM DNS Cleanup action (SEC-376).

cPanel before 70.0.23 allows stored XSS via a WHM "Delete a DNS Zone" action (SEC-375).

cPanel before 70.0.23 allows stored XSS via a WHM Edit DNS Zone action (SEC-374).

cPanel before 70.0.23 allows stored XSS via a WHM Create Account action (SEC-373).

cPanel before 70.0.23 allows stored XSS in WHM DNS Cluster (SEC-372).

cPanel before 70.0.23 allows any user to disable Solr (SEC-371).

cPanel before 70.0.23 allows Stored XSS via a WHM Edit MX Entry (SEC-370).

cPanel before 70.0.23 allows stored XSS via a WHM Edit DNS Zone action (SEC-369).

In cPanel before 70.0.23, OpenID providers can inject arbitrary data into cPanel session files (SEC-368).