Security Vulnerabilities - CVEs Published In August 2019
In cPanel before 71.9980.37, API tokens retain ACLs after those ACLs are removed from the corresponding accounts (SEC-393).
CVSS Score
7.2
EPSS Score
0.005
Published
2019-08-01
cPanel before 71.9980.37 allows code injection in the WHM cPAddons interface (SEC-394).
CVSS Score
3.9
EPSS Score
0.002
Published
2019-08-01
cPanel before 71.9980.37 allows arbitrary file-unlink operations via the cPAddons moderation system (SEC-395).
CVSS Score
2.8
EPSS Score
0.001
Published
2019-08-01
cPanel before 71.9980.37 allows e-mail injection during cPAddons moderation (SEC-396).
CVSS Score
4.3
EPSS Score
0.003
Published
2019-08-01
cPanel before 71.9980.37 allows stored XSS in the WHM cPAddons installation interface (SEC-398).
CVSS Score
6.1
EPSS Score
0.004
Published
2019-08-01
A flaw was found in Jolokia versions from 1.2 to before 1.6.1. Affected versions are vulnerable to a system-wide CSRF. This holds true for properly configured instances with strict checking for origin and referrer headers. This could result in a Remote Code Execution attack.
CVSS Score
8.1
EPSS Score
0.021
Published
2019-08-01
cPanel before 74.0.0 insecurely stores phpMyAdmin session files (SEC-418).
CVSS Score
5.3
EPSS Score
0.001
Published
2019-08-01
cPanel before 74.0.0 allows SQL injection during database backups (SEC-420).
CVSS Score
9.8
EPSS Score
0.003
Published
2019-08-01
cPanel before 74.0.0 allows file modification in the context of the root account because of incorrect HTTP authentication (SEC-424).
CVSS Score
5.5
EPSS Score
0.001
Published
2019-08-01
It was found that foreman, versions 1.x.x before 1.15.6, in Satellite 6 did not properly enforce access controls on certain resources. An attacker with access to the API and knowledge of the resource name can access resources in other organizations.
CVSS Score
7.4
EPSS Score
0.002
Published
2019-08-01