cPanel before 78.0.18 allows certain file-read operations in the context of the root account via the Exim virtual_user_spam router (SEC-484). Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
cPanel before 80.0.5 allows unsafe file operations in the context of the root account via the fetch_ssl_certificates_for_fqdns API (SEC-489). Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
IBM WebSphere Application Server - Liberty Admin Center could allow a remote attacker to hijack the clicking action of the victim. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.
cPanel before 82.0.2 has stored XSS in the WHM Modify Account interface (SEC-512). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
cPanel before 82.0.2 has stored XSS in the WHM Tomcat Manager interface (SEC-504). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
cPanel before 78.0.2 does not properly restrict demo accounts from writing to files via the DCV UAPI (SEC-473). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
cPanel before 80.0.5 allows demo accounts to modify arbitrary files via the extractfile API1 call (SEC-496). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
cPanel before 80.0.5 allows local code execution in the context of a different cPanel account because of insecure cpphp execution (SEC-486). Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.
A flaw was discovered in fence-agents, prior to version 4.3.4, where using non-ASCII characters in a guest VM's comment or other fields would cause fence_rhevm to exit with an exception. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.
Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Bypass lock protection in the Nextcloud Android app prior to version 3.6.1 allows accessing the files when repeatedly opening and closing the app in a very short time. Rated medium severity (CVSS 4.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A Vulnerability has been found in PowerDNS Authoritative Server before versions 4.1.9, 4.0.8 allowing a remote, authorized master server to cause a high CPU load or even prevent any further updates. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.
A missing check in the Nextcloud Server prior to version 15.0.1 causes leaking of calendar event names when adding or modifying confidential or private events. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability was found in PostgreSQL versions 11.x up to excluding 11.3, 10.x up to excluding 10.8, 9.6.x up to, excluding 9.6.13, 9.5.x up to, excluding 9.5.17. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
cPanel before 78.0.2 allows certain file-write operations as shared users during connection resets (SEC-476). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
cPanel before 78.0.2 allows a demo account to link with an OpenID provider (SEC-460). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
cPanel before 78.0.18 offers an open mail relay because of incorrect domain-redirect routing (SEC-483). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
In cPanel before 78.0.2, a Userdata cache temporary file can conflict with domains (SEC-478). Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
Maketext in cPanel before 78.0.2 allows format-string injection in the DCV check_domains_via_dns UAPI (SEC-474). Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
Maketext in cPanel before 78.0.2 allows format-string injection in the Email store_filter UAPI (SEC-472). Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
cPanel before 78.0.18 unsafely determines terminal capabilities by using infocmp (SEC-481). Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
API Analytics adminbin in cPanel before 80.0.5 allows spoofed insertions of log data (SEC-495). Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
cPanel before 80.0.5 uses world-readable permissions for the Queueprocd log (SEC-494). Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
cPanel before 82.0.2 does not properly enforce Reseller package creation ACLs (SEC-514). Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
cPanel before 78.0.2 reveals internal data to OpenID providers (SEC-415). Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OpenShift Container Platform before version 4.1.3 writes OAuth tokens in plaintext to the audit logs for the Kubernetes API server and OpenShift API server. Rated low severity (CVSS 2.3), this vulnerability is low attack complexity.