An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31.

Cross-Site Request Forgery (CSRF) vulnerability in DigiTimber DigiTimber cPanel Integration allows Stored XSS. This issue affects DigiTimber cPanel Integration: from n/a through 1.4.6.

Sensitive information disclosure during file browsing due to improper symbolic link handling. The following products are affected: Acronis Backup plugin for cPanel & WHM (Linux) before build 818.

Arbitrary file overwrite during recovery due to improper symbolic link handling. The following products are affected: Acronis Backup plugin for cPanel & WHM (Linux) before build 818, Acronis Backup extension for Plesk (Linux) before build 599, Acronis Backup plugin for DirectAdmin (Linux) before build 181.

Sensitive data disclosure and manipulation due to unnecessary privileges assignment. The following products are affected: Acronis Backup plugin for cPanel & WHM (Linux) before build 619, Acronis Backup extension for Plesk (Linux) before build 555, Acronis Backup plugin for DirectAdmin (Linux) before build 147.

The Cpanel::JSON::XS package before 4.33 for Perl performs out-of-bounds accesses in a way that allows attackers to obtain sensitive information or cause a denial of service.

In cPanel before 96.0.13, scripts/fix-cpanel-perl does not properly restrict the overwriting of files (SEC-588).

In cPanel before 96.0.8, weak permissions on web stats can lead to information disclosure (SEC-584).

The WHM Locale Upload feature in cPanel before 98.0.1 allows unserialization attacks (SEC-585).

In cPanel before 98.0.1, /scripts/cpan_config performs unsafe operations on files (SEC-589).