API Analytics adminbin in cPanel before 80.0.5 allows spoofed insertions of log data (SEC-495).

cPanel before 80.0.5 uses world-readable permissions for the Queueprocd log (SEC-494).

cPanel before 80.0.5 allows unsafe file operations in the context of the root account via the fetch_ssl_certificates_for_fqdns API (SEC-489).

cPanel before 80.0.5 allows local code execution in the context of a different cPanel account because of insecure cpphp execution (SEC-486).

cPanel before 80.0.22 allows remote code execution by a demo account because of incorrect URI dispatching (SEC-501).

cPanel before 82.0.2 does not properly enforce Reseller package creation ACLs (SEC-514).

cPanel before 82.0.2 has stored XSS in the WHM Modify Account interface (SEC-512).

cPanel before 82.0.2 allows local users to discover the MySQL root password (SEC-510).

cPanel before 82.0.2 allows unauthenticated file creation because Exim log parsing is mishandled (SEC-507).

cPanel before 82.0.2 has Self XSS in the cPanel and webmail master templates (SEC-506).

cPanel before 82.0.2 has stored XSS in the WHM Tomcat Manager interface (SEC-504).

Multiple cross-site scripting (XSS) vulnerabilities in autoinstall4imagesgalleryupgrade.php in the Fantastico De Luxe Module for cPanel allow remote attackers to inject arbitrary web script or HTML via the (1) localapp, (2) updatedir, (3) scriptpath_show, (4) domain_show, (5) thispage, (6) thisapp, and (7) currentversion parameters in an Upgrade action.

Directory traversal vulnerability in autoinstall4imagesgalleryupgrade.php in the Fantastico De Luxe Module for cPanel allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the scriptpath_show parameter in a GoAhead action. NOTE: this issue only crosses privilege boundaries when security settings such as disable_functions and safe_mode are active, since exploitation requires uploading of executable code to a home directory.

Directory traversal vulnerability in frontend/x3/stats/lastvisit.html in cPanel allows remote attackers to read arbitrary files via a .. (dot dot) in the domain parameter.

cPanel does not automatically synchronize the PHP open_basedir configuration directive between the main server and virtual hosts that share physical directories, which might allow a local user to bypass open_basedir restrictions and access other virtual hosts via a PHP script that uses a main server URL (such as ~username) that is blocked by the user's own open_basedir directive, but not the main server's open_basedir directive.

fantastico in Cpanel does not properly handle when it has insufficient permissions to perform certain file operations, which allows remote authenticated users to obtain the full pathname, which is leaked in a PHP error message.

Cross-site scripting (XSS) vulnerability in dowebmailforward.cgi in cPanel allows remote attackers to inject arbitrary web script or HTML via a URL encoded value in the fwd parameter.