CVE-2021-38590
In cPanel before 96.0.8, weak permissions on web stats can lead to information disclosure (SEC-584).
Source: CVE-2021-38590
CVE-2021-38590
In cPanel before 96.0.8, weak permissions on web stats can lead to information disclosure (SEC-584).
Source: CVE-2021-38590
CVE-2021-38584
The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585).
Source: CVE-2021-38584
CVE-2021-38589
In cPanel before 96.0.13, scripts/fix-cpanel-perl does not properly restrict the overwriting of files (SEC-588).
Source: CVE-2021-38589
CVE-2021-38588
In cPanel before 96.0.13, fix_cpanel_perl lacks verification of the integrity of downloads (SEC-587).
Source: CVE-2021-38588
CVE-2021-38587
In cPanel before 96.0.13, scripts/fix-cpanel-perl mishandles the creation of temporary files (SEC-586).
Source: CVE-2021-38587
CVE-2021-38585
The WHM Locale Upload feature in cPanel before 98.0.1 allows unserialization attacks (SEC-585).
Source: CVE-2021-38585
CVE-2021-37697
tmerc-cogs are a collection of open source plugins for the Red Discord bot. A vulnerability has been found in the code that allows any user to access sensitive information by crafting a specific membership event message. Issue is patched in commit d63c49b4cfc30c795336e4fff08cba3795e0fcc0. As a workaround users may unload the Welcome cog.
Source: CVE-2021-37697
CVE-2021-38586
In cPanel before 98.0.1, /scripts/cpan_config performs unsafe operations on files (SEC-589).
Source: CVE-2021-38586
CVE-2021-37696
tmerc-cogs are a collection of open source plugins for the Red Discord bot. A vulnerability has been found in the code that allows any user to access sensitive information by crafting a specific MassDM message. Issue is patched in commit 92325be650a6c17940cc52611797533ed95dbbe1. All users are advised to update to the current commit. As a workaround users may unload the MassDM cog or globally disable the `[p]massdm` command.
Source: CVE-2021-37696
CVE-2021-36770
Encode.pm, as distributed in Perl through 5.34.0, allows local users to gain privileges via a Trojan horse Encode::ConfigLocal library (in the current working directory) that preempts dynamic module loading. Exploitation requires an unusual configuration, and certain 2021 versions of Encode.pm (3.05 through 3.11). This issue occurs because the || operator evaluates @INC in a scalar context, and thus @INC has only an integer value.
Source: CVE-2021-36770