cPanel before 71.9980.37 allows attackers to make API calls that bypass the images feature restriction (SEC-430).

cPanel before 71.9980.37 allows attackers to make API calls that bypass the backup feature restriction (SEC-429).

cPanel before 71.9980.37 allows attackers to make API calls that bypass the cron feature restriction (SEC-427).

cPanel before 71.9980.37 allows self XSS in the WHM Backup Configuration interface (SEC-421).

cPanel before 71.9980.37 allows attackers to read root's crontab file by leveraging ClamAV installation (SEC-408).

cPanel before 71.9980.37 allows Remote-Stored XSS in WHM Save Theme Interface (SEC-400).

cPanel before 11.54.0.0 allows unauthorized zone modification via the WHM API (SEC-66).

cPanel before 11.54.0.0 allows unauthorized password changes via Webmail API commands (SEC-65).

cPanel before 11.54.0.0 allows unauthenticated arbitrary code execution via DNS NS entry poisoning (SEC-64).

cPanel before 11.54.0.0 allows a bypass of the e-mail sending limit (SEC-60).

cPanel before 11.54.0.0 allows subaccounts to discover sensitive data through comet feeds (SEC-29).

cPanel before 11.54.0.4 allows unauthenticated arbitrary code execution via cpsrvd (SEC-91).

cPanel before 11.54.0.4 allows self XSS in the X3 Entropy Banner interface (SEC-87).

cPanel before 11.54.0.4 allows stored XSS in the WHM Feature Manager interface (SEC-86).

cPanel before 11.54.0.4 lacks ACL enforcement in the AppConfig subsystem (SEC-85).

cPanel before 11.54.0.4 allows self XSS in the WHM PHP Configuration editor interface (SEC-84).

cPanel before 11.54.0.4 allows arbitrary code execution via scripts/synccpaddonswithsqlhost (SEC-83).

cPanel before 11.52.0.13 does not prevent arbitrary file-read operations via get_information_for_applications (CPANEL-1221).

Windu CMS 2.2 allows XSS via the name parameter to admin/content/edit or admin/content/add, or the username parameter to admin/users.

Windu CMS 2.2 allows CSRF via admin/users/?mn=admin.message.error to add an admin account.