Overview :
cPanel before 82.0.18 allows attackers to leverage virtual mail accounts in order to bypass account suspensions (SEC-508).
Affected Product(s) :
Skip to end of metadata

Go to start of metadata



  • Fixed case CPANEL-30391: Support password and shadow file lookups with windows line endings.



  • [security] Fixed case SEC-499: Authentication bypass due to variations in webmail username handling.
  • [security] Fixed case SEC-508: Account suspension bypass via virtual mail accounts.
  • [security] Fixed case SEC-516: Authentication bypass due to faulty password file format parsing.
  • [security] Fixed case SEC-520: Self-XSS due to faulty JSON string escaping.
  • [security] Fixed case SEC-525: Cpanel::Rand::Get can produce predictable output.
  • [security] Fixed case SEC-531: MySQL dump streaming allowed reading all databases.
  • [security] Fixed case SEC-532: Root chown on arbitrary paths in cPanel log processing.
  • [security] Fixed case SEC-533: Stored-XSS Vulnerability in WHM Backup Restoration.
  • [security] Fixed case SEC-534: WebDAV authentication bypass due to faulty connection sharing logic.



  • Fixed case CPANEL-28797: Ensure that MySQL 5.6 dependencies are met during initial system installation.
  • Fixed case CPANEL-29522: Update rpm.versions for cpanel-phpmyadmin 4.8.5-5.cp1180.
  • Implemented case CPANEL-29751: Suppress “reset_autossl_provider” API and UI control.
  • Implemented case CPANEL-29782: Better handle LetsEncrypt Errors in AutoSSL interface.



  • [security] Fixed case CPANEL-29669: Updated Exim for CVE-2019-16928.



  • [security] Fixed case SEC-517: cPanel API token credentials remain after account rename or termination.
  • [security] Fixed case SEC-521: Self-XSS vulnerability in the cPanel SSL Certificate Upload interface.
  • [security] Fixed case SEC-524: Self-XSS vulnerabilities in cPanel LiveAPI example scripts.
  • [security] Fixed case SEC-526: Self-XSS vulnerability in the cPanel SSL Key Delete interface.
  • [security] Fixed case SEC-527: Self-stored XSS vulnerability in the WHM SSL Storage Manager interface.
  • [security] Fixed case SEC-528: Self-XSS Vulnerability in the WHM Update Preferences interface.



  • [security] Fixed case CPANEL-29223: Update rpm.versions for exim 4.92-3.cp1180. Fixes CVE-2019-15846.



  • Fixed case CPANEL-28960: Restore performance of securetmp during install.
  • Fixed case CPANEL-29016: Update rpm.versions for cpanel-clamav 0.101.4-1.cp1180.
  • Fixed case CPANEL-29141: Restore specific error message when password is too weak upon creating a DB user.



  • Fixed case CPANEL-28826: Ensure that iptables xlock failures trigger a failure state.
  • Fixed case CPANEL-28892: Do securetmp before starting background installs processes.
  • Fixed case CPANEL-29060: Update rpm.versions for dovecot Fixes CVE-2019-11500.



  • Fixed case CPANEL-28424: Allow wildcard subdomains to be managed in WHM > MultiPHP Manager.
  • Fixed case CPANEL-28779: Ensure mailscanner RPM target is set for systems with MailScanner installed.
  • Fixed case CPANEL-28832: Fixed validation of wildcard subdomains when installing SSL certificates via cPanel >> Security >> SSL/TLS, Manage SSL Hosts.



  • Fixed case CPANEL-26448: Don’t apply virtual mailbox disk usage to the cPanel system user’s disk usage.
  • Fixed case CPANEL-27600: Do not count ip change as a failed login attempt.
  • Fixed case CPANEL-28428: Update rpm.versions for MySQL56 5.6.45-1.cp1178.
  • Fixed case CPANEL-28615: Report configuration information.
  • Fixed case CPANEL-28685: Update rpm.versions for cpanel-php72 7.2.7-10.cp1182.
  • Fixed case CPANEL-28735: Update rpm.versions for cpanel-clamav 0.101.3-1.cp1180.
  • Fixed case CPANEL-28763: Ensure server contact emails containing multiple dots in the localpart do not break parsing of SOA records in DNS zone files.



  • Fixed case CPANEL-28656: Ensure MySQL 5.6 can be installed during cPanel install.
  • Fixed case CPANEL-28720: Don’t secure MySQL when /etc/securemysqldisable or /etc/mysqldisable are present.



  • Fixed case CPANEL-28635: Fix wildcard subdomain CSR generation.



  • Fixed case CPANEL-28124: Ensure the correct character set is selected when modifying an autoresponder.
  • Fixed case CPANEL-28481: Ensure we escape ‘<‘ correctly when stringifying JSON in Template Toolkit.
  • Fixed case CPANEL-28579: Ensure pre-licensed CloudLinux installations on CentOS install successfully.
  • Fixed case CPANEL-28591: Ensure terminal UI functions on CloudLinux systems.



  • Fixed case CPANEL-28314: Ensure cpipv6 and other services are enabled correctly during initial install.
  • Fixed case CPANEL-28473: Fix bug in scripts/post_sync_cleanup where queueprocd was not restarted before we ran tasks in bin/taskrun that relied on queueprocd.
  • Fixed case CPANEL-28492: Fix issue where update_quota_cache would issue warnings and fail to detect quota issues with disks in some situations.



  • [security] Fixed case CPANEL-28455: Update rpm.versions for exim 4.92-2.cp1180. Fixes CVE-2019-13917.



  • Fixed case CPANEL-28108: Fix links for WHM access and phpPgAdmin in cPanel.
  • Fixed case CPANEL-28146: Avoid overwriting existing firewall settings.
  • Fixed case CPANEL-28272: Ensure postgres backups occur when PSQLBACKUP is enabled in the backup config.
  • Fixed case CPANEL-28354: Display “PHP PECL” in uppercase.
  • Fixed case CPANEL-28384: Correct /var/cpanel/datastore permissions on update.
  • Fixed case CPANEL-28388: Ensure mailscanner RPM target is set for systems with MailScanner installed.
  • Fixed case CPANEL-28422: Resolved module dependency for fetchzones cpapi2 call.
  • Fixed case CPANEL-28441: Avoid named.conf cache rebuild on zone reload.
  • Fixed case CPANEL-28444: Reduce the rate at which AutoSSL redoes the DCV setup.



  • Fixed case CPANEL-27452: Fix bug in cpanel_php_fpm configuration where horde_lz4 extension was not loaded by making sure it does not load when not on php-fpm as well.
  • Fixed case CPANEL-28066: Improve usability of WHM and cPanel MultiPHP Manager when PHP is not installed.
  • Fixed case CPANEL-28178: Partially configured cPanelID not showing on the login page.
  • Fixed case CPANEL-28190: Update rpm.versions for cpanel-wrap 80.4-1.cp1180.
  • Fixed case CPANEL-28305: Restore loading of custom themes.
  • Fixed case CPANEL-28306: Restart FPM after clear_horde_cache task if it is enabled.



  • [security] Fixed case SEC-504: Stored-XSS vulnerability in WHM Tomcat Manager interface.
  • [security] Fixed case SEC-506: Self XSS vulnerability in cPanel and webmail master templates.
  • [security] Fixed case SEC-507: Unauthenticated file creation vulnerability via Exim log parsing.
  • [security] Fixed case SEC-510: Root MySQL password revealed to local accounts.
  • [security] Fixed case SEC-512: Stored-XSS vulnerability in WHM Modify Account interface.
  • [security] Fixed case SEC-514: Reseller package creation ACLs enforced incorrectly.



  • Fixed case CPANEL-23899: Update cpanel-php72-Horde-Cache to 2.5.5-5.cp1176.
  • Fixed case CPANEL-26240: Update rpm.versions for cpanel-perl-528-Encode 2.98-2.cp1178.
  • Fixed case CPANEL-27882: Fix error logged to JS console on Backup Restoration page.
  • Fixed case CPANEL-27963: Fix bug in backup restoration template when a user is named ‘keys’.
  • Fixed case CPANEL-28062: Correctly validate that no common HTML entities are present in specimens in Cpanel::Validate::Html::no_common_html_entities_or_die.
  • Fixed case CPANEL-28078: Ensure tailwatchd does not die from SIGALRM during hot restarts.
  • Fixed case CPANEL-28081: Fix ODIC logins when the PublicSuffix cache is out of date.
  • Fixed case CPANEL-28089: Correctly generate ssl_min_protocol based on the value of ssl_protocols, when applicable.
  • Fixed case CPANEL-28095: Update cpanel-php72-Horde-Form to 2.0.19-4.cp1176.
  • Fixed case CPANEL-28121: Resolve missing UI with IP migration wizard when accessing afterwards.
  • Fixed case CPANEL-28159: Fix empty MySQL backups in cPanel-originated backups.



  • Fixed case CPANEL-25410: Update rpm.versions for cpanel-mailman 2.1.27-4.cp1178.
  • Fixed case CPANEL-26218: Ensure the MultiPHP Manager Apply button for PHP version changes will properly display a loading icon when it is doing work.
  • Fixed case CPANEL-27254: Fix addition of MX record in cPanel to preserve manual local MX routing.
  • Fixed case CPANEL-27391: Trap errors from DnsAdmin in DNS modifications.
  • Fixed case CPANEL-27672: Reduce number of Perl warnings from Cpanel::API::ImageManager.
  • Fixed case CPANEL-27728: Fix readline on closed filehandle warning in WHM Tranfer Tool after homedir is finished streaming.
  • Fixed case CPANEL-27775: Ensure fastestmirror cache is reset when installing a new repo.
  • Fixed case CPANEL-27824: Support reading and writing the ‘key = value’ syntax for sshd_config.
  • Fixed case CPANEL-27826: Update cpanel-roundcubemail to 1.3.8-8.cp1180.
  • Fixed case CPANEL-27830: Fix bug in ssl_call adminbin that prevented SSL pending queue run via cron.
  • Fixed case CPANEL-27833: CLDR data loads correctly in CJT 1 & CJT2 apps.
  • Fixed case CPANEL-27859: Fix cpsrvd EBADF errors when Chrome reused connections.
  • Fixed case CPANEL-27866: Improve Cpanel::SafeFile’s file locking algorithm.
  • Fixed case CPANEL-27871: Remove personal data from the URL when editing and deleting autoresponders in cPanel.
  • Fixed case CPANEL-27888: Fix over-escaping in BoxTrapper error message.
  • Fixed case CPANEL-27889: Fix parsing of # in zone file rnames.
  • Fixed case CPANEL-27901: Add acknowledgement of username and password for LiteSpeed.
  • Fixed case CPANEL-27907: Fix false PostgreSQL database map warning when changing password of a cPanel account that contains an underscore.
  • Fixed case CPANEL-27912: Restore regex search for databases.
  • Fixed case CPANEL-27920: Fix race condition in cpsrvd’s WebSocket streaming logic.
  • Fixed case CPANEL-27924: Fix errors when making PostgreSQL database changes.
  • Fixed case CPANEL-27979: Fixed missing locale phrases in the domains ui.
  • Fixed case CPANEL-27988: Added more validation to BoxTrapper::get_log UAPI call.
  • Fixed case CPANEL-28000: Fix some warnings generated in scripts/ea4_fresh_install.
  • Fixed case CPANEL-28008: Ensure root is not restricted by dns and ownership checks.
  • Fixed case CPANEL-28044: Change the UAPI GPG generate_key to accept a Unix timestamp for the expire parameter and add a no_expire parameter.
  • Implemented case CPANEL-27982: Add a WHM API 1 method to get the current user count.
  • Implemented case CPANEL-28028: Fix API restrictions for count_forwarders and count_filters.
  • Implemented case CPANEL-28068: Add a perl528-mailscanner rpm target.



  • Fixed case CPANEL-15085: DNS Clustering: Remove confusing warning about ‘reverse trust’.
  • Fixed case CPANEL-16159: 1-to-1 NAT: Include public IPs Exim’s extra_local_interfaces.
  • Fixed case CPANEL-16829: Acct xfer: restore grants and DB mapping under shared remote MySQL.
  • Fixed case CPANEL-18567: Update Host Access Control UI tab indices for newly created elements.
  • Fixed case CPANEL-22228: Preserve Site Software domain selection when switching to/from advanced install.
  • Fixed case CPANEL-22562: Transfer Tool: Throw an error from the OldHomedirs module if the home directory for the user does not exist.
  • Fixed case CPANEL-22932: Fix undefined value error in greylisting scripts.
  • Fixed case CPANEL-23030: Fix incorrect WordPress update notifications.
  • Fixed case CPANEL-23061: Rebuild apache config when generating default SSL certs for cPanel services.
  • Fixed case CPANEL-23612: Ensure that the word ‘Create’ is translated properly in German for the paper_lantern theme.
  • Fixed case CPANEL-23998: Fix bug where unnecessary .htaccess lines were added when Apache PHP-FPM was enabled, resulting in breakage on switch to LSAPI.
  • Fixed case CPANEL-24152: Add new WHM API call to get minimum password strength configurations.
  • Fixed case CPANEL-24433: Update cpsrvd pidfile earlier in the startup sequence to avoid some race conditions.
  • Fixed case CPANEL-24437: WHM API: Update create_user_session so that the app parameter works with WHM.
  • Fixed case CPANEL-24506: Backups will transport to additional destinations even if there are problems with the transfer history database.
  • Fixed case CPANEL-24771: Prefer the hostname when there is a conflict determining the mail HELO.
  • Fixed case CPANEL-24811: Ensure the Track Delivery graphic is legible in the dark style.
  • Fixed case CPANEL-25100: Adjust horde cache files tweak setting to list a recommended value of 180 days and only allow options > 0.
  • Fixed case CPANEL-25106: Improve the user experience for RTL languages on the webmail home page.
  • Fixed case CPANEL-25110: Suppress stack traces emitted by the Security Advisor due to KernelCare license authentication failures.
  • Fixed case CPANEL-25123: Prevent “cannot chdir” warnings when /scripts/runweblogs is run from folders that users don’t have access to.
  • Fixed case CPANEL-25123: Correct improper time handling that lead to warnings and failures to delete the modsecurity logs in the month of January.
  • Fixed case CPANEL-25327: ProFTP passive port range is now respected on all virtualhosts.
  • Fixed case CPANEL-25557: WHM: Improve how the ‘base’ is configured on AngularJS interfaces to better support certain reverse proxy configurations.
  • Fixed case CPANEL-25603: Ensure keys with null values are correctly handled when rebuilding /etc/my.cnf.
  • Fixed case CPANEL-25646: Ensure that modifyacct properly handles addon domains that are subdomains of the primary domain.
  • Fixed case CPANEL-25775: Fix bug of adding IPv6 subdomain of addon domain as a new addon domain.
  • Fixed case CPANEL-25776: Use authentication in .my.cnf when accessing WHM > phpMyAdmin.
  • Fixed case CPANEL-25777: Ensure the EasyApache 4 landing page fully loads before showing profiles.
  • Fixed case CPANEL-25780: Improve exception handling in WHM API1 php_get_handlers.
  • Fixed case CPANEL-25832: Update error presented when partner related account tries to purchase LiteSpeed.
  • Fixed case CPANEL-25867: Avoid data loss when running update-roundcube-sqlite-db for the first time by properly detecting the installed version of Roundcube’s database schema.
  • Fixed case CPANEL-25886: Invalid Webmail Apps config prevented displayed of all Webmail apps.
  • Fixed case CPANEL-25892: Ensure MariaDB 10.3 repos exist for RHEL systems.
  • Fixed case CPANEL-25953: Ensure users can create profiles on the Manage MySQL Profiles interface in WHM.
  • Fixed case CPANEL-25997: Allow usage of the “Configuration Clustering” feature on DNSONLY systems.
  • Fixed case CPANEL-26002: Allow working around LMTP failures related to broken system quotas by making rebuildeximconf know to disable quota checking in the event this situation is detected.
  • Fixed case CPANEL-26007: Don’t add AAAA records for A records that point towards remote IPs.
  • Fixed case CPANEL-26008: Ensure we report errors in the Apache Global Configuration interface when rebuilding the Apache configuration.
  • Fixed case CPANEL-26008: Add basic validation for the Apache configuration sslprotocol key.
  • Fixed case CPANEL-26048: Refer to port 2089, not 80, for license server connectivity errors.
  • Fixed case CPANEL-26054: Spam scan emails with a local destination, but an external forwarded address if enabled in Exim tweak settings.
  • Fixed case CPANEL-26055: Correct description of successful login cache in WHM Mailserver Configuration.
  • Fixed case CPANEL-26061: Fix problems with curly braces in large BoxTrapper lists.
  • Fixed case CPANEL-26063: Allow installing DKIM locally even if un-authoritative.
  • Fixed case CPANEL-26067: Ensure ProFTPd doesn’t crash when suspending an account with a dedicated IP.
  • Fixed case CPANEL-26074: Ensure account transfer destination, or “home” directories, exist prior to initiating transfers.
  • Fixed case CPANEL-26113: Suppress unwanted output during scheduled upcp runs which would mail the configured system contacts.
  • Fixed case CPANEL-26124: Warn when mysql is down in the WHM mysql upgrade interface.
  • Fixed case CPANEL-26139: Remove legacy EA3 code from MySQL upgrade process.
  • Fixed case CPANEL-26146: Remove single-use task processor function to set up analytics.
  • Fixed case CPANEL-26163: Do not add perl exclude to yum.conf if system perl was found to be altered.
  • Fixed case CPANEL-26168: Force email accounts to be created as subaccounts in cPanel’s “Email Accounts” page when using a password.
  • Fixed case CPANEL-26200: Show the update network the server uses in Update Preferences.
  • Fixed case CPANEL-26211: No longer set the account IP to when restoring with the –skipaccount flag.
  • Fixed case CPANEL-26212: Return warnings in the output of the SSH genkey api2 call.
  • Fixed case CPANEL-26227: EasyApache 4 in CloudLinux will no longer display packages that cannot be installed.
  • Fixed case CPANEL-26278: Add additional check against LiteSpeed serial as returned from store.
  • Fixed case CPANEL-26300: Display a friendlier message on the Repair a MySQL Database interface when we detect the system is using a remote MySQL server.
  • Fixed case CPANEL-26322: Defer loading arg filtering and pagination until needed.
  • Fixed case CPANEL-26323: Dovecot registers the right date from migrated messages.
  • Fixed case CPANEL-26377: Correct exceptions generated by Whostmgr::API::1::ConvertAddon.
  • Fixed case CPANEL-26377: Correct exceptions generated by Cpanel::Config::userdata::TwoFactorAuth::Secrets.
  • Fixed case CPANEL-26400: Update cpanel-roundcubemail to 1.3.8-2.cp1180.
  • Fixed case CPANEL-26402: Provide a clearer error when cPanel > Domains disallows new domains.
  • Fixed case CPANEL-26408: Enable X-Frame-Options and X-Content-Type-Options in cpsrvd by default.
  • Fixed case CPANEL-26419: Replace all GET params with POST params in BoxTrapper UI.
  • Fixed case CPANEL-26422: Add support for reporting MariaDB version info.
  • Fixed case CPANEL-26443: Breakout Cpanel::AccessIds::loadfile_as_user into its own module.
  • Fixed case CPANEL-26445: Prevent Whostmgr::ACLS from being loaded into adminbins.
  • Fixed case CPANEL-26447: Allow quotas to be enabled on a mount that was Previously a backup directory if backups have been disabled.
  • Fixed case CPANEL-26449: Remove legacy rrdtool bandwidth imports.
  • Fixed case CPANEL-26454: Defer rrdtool install.
  • Fixed case CPANEL-26458: Ensure tooltips on WHM MultiPHP Manager no longer flash.
  • Fixed case CPANEL-26459: Avoid installing user interface devel rpms by default.
  • Fixed case CPANEL-26460: Fix File Restoration UI so clearing failed attempts is consistent.
  • Fixed case CPANEL-26464: Reduce size of site-publisher-templates.
  • Fixed case CPANEL-26500: Remove additional unused and legacy rpms from install.
  • Fixed case CPANEL-26521: Only suggest purchase of KernelCare if the current running kernel has support.
  • Fixed case CPANEL-26529: Use a valid link for PEAR/PECL module documentation.
  • Fixed case CPANEL-26531: Defer extra system perl rpms until needed.
  • Fixed case CPANEL-26534: Ensure functional grants are created when a MySQL user without a password is transferred.
  • Fixed case CPANEL-26556: Remove transfer modules from whostmgr5.
  • Fixed case CPANEL-26557: Enable maildir_broken_filename_sizes in the default config for dovecot.
  • Fixed case CPANEL-26562: Ensure Compress::Raw::Lzma is available for updatenow on fresh install.
  • Fixed case CPANEL-26563: Download deferred rpms while waiting for EA4 install to finish.
  • Fixed case CPANEL-26565: New iContact email for failures of the Solr maintenance script.
  • Fixed case CPANEL-26567: Update Razor2-Client-Agent to 2.86.
  • Fixed case CPANEL-26573: Teach cpsrvd to use admin modules that are not binaries.
  • Fixed case CPANEL-26575: Move additional legacy rpms to the supplemental list.
  • Fixed case CPANEL-26579: Defer linking 3rdparty binaries until first upcp.
  • Fixed case CPANEL-26582: Enable packages needed to use debug mode in production by default.
  • Fixed case CPANEL-26584: Add GDGraph back to the RPM list.
  • Fixed case CPANEL-26609: Prune rpms list and optimize the rpm install process.
  • Fixed case CPANEL-26610: Reduce rpm contention during the install process.
  • Fixed case CPANEL-26611: Ensure that an empty cPAddons JSON file does not prevent cPanel from loading.
  • Fixed case CPANEL-26615: Suppress error in get_homematch_with_most_free_space().
  • Fixed case CPANEL-26618: Revise information displayed in Additional Destinations table.
  • Fixed case CPANEL-26626: Ensure we only use Cpanel::CPAN::Locale::Maketext.
  • Fixed case CPANEL-26629: Removed a large number of unused gzip files.
  • Fixed case CPANEL-26630: Don’t run setupipaliases when ipaliases has been disabled.
  • Fixed case CPANEL-26631: Move pwmksafecache to Cpanel::PwCache::Cache.
  • Fixed case CPANEL-26634: User Preference menu uses native JS in cPanel retro style.
  • Fixed case CPANEL-26635: Add missing perl module dependency for Munin plugin.
  • Fixed case CPANEL-26644: Port API 1 locale methods to UAPI.
  • Fixed case CPANEL-26647: restartsrv_cpanel_php_fpm randomly failed.
  • Fixed case CPANEL-26650: Reduce the interval between checks when acquiring a hostname certificate.
  • Fixed case CPANEL-26656: EA4 is installed too soon for php wrappers to be available.
  • Fixed case CPANEL-26664: WHM: Update the base tag in the master template to include the security token, if not present.
  • Fixed case CPANEL-26666: Restore and regroup Data::UUID for WordPress plugin.
  • Fixed case CPANEL-26667: Flush domain logs when needed before log processing starts.
  • Fixed case CPANEL-26669: Account Preferences now shows in cPanel Retro.
  • Fixed case CPANEL-26671: Ensure JSON API requests with no data are handled properly.
  • Fixed case CPANEL-26683: Provide an improved error for invalid CAA records during Autossl.
  • Fixed case CPANEL-26685: Update WHM API 1 ApplicationVersions to use Cpanel::RPM.
  • Fixed case CPANEL-26693: Implement native JS for notifications and sidebar.
  • Fixed case CPANEL-26699: Enable/disable monitoring for cphulkd when it is enabled/disabled.
  • Fixed case CPANEL-26703: Defer p0f on first rpm download during install.
  • Fixed case CPANEL-26704: Defer additional rpms on the first rpm downloading during install.
  • Fixed case CPANEL-26707: Move additional packages to the sysup supplemental list.
  • Fixed case CPANEL-26718: Download rpm sha files in parallel.
  • Fixed case CPANEL-26719: Significantly improve Cpanel::Sync::v2 performance.
  • Fixed case CPANEL-26731: Display correct module include path on WHM > Software > Install a Perl Module.
  • Fixed case CPANEL-26732: Do not display an error notice about cPHulk being disabled on the cPHulk interface when it is disabled.
  • Fixed case CPANEL-26736: Ensure cphulkd adds IPs to iptables when blacklisted ips attempt login when iptables support is enabled.
  • Fixed case CPANEL-26739: Email Deliverability now allows install of SPF when not authoritative.
  • Fixed case CPANEL-26757: Allow MySQL backups as the user via pkgacct.
  • Fixed case CPANEL-26765: Remove legacy language files from distribution.
  • Fixed case CPANEL-26768: Avoid unsupported components in the home page to load when using ‘retro’ style.
  • Fixed case CPANEL-26792: Assure cpanel-mariadb-connector is installed before cpanel-roundcubemail.
  • Fixed case CPANEL-26800: Automatically fix bad permissions on maildirsize files which would hinder dovecot mail sending and delivery.
  • Fixed case CPANEL-26816: Reduce deptree needed to obtain main ip with cache hit.
  • Fixed case CPANEL-26819: EA4 UI shows the correct state of packages (i.e. install/uninstall) in all scenarios.
  • Fixed case CPANEL-26824: Update securityadvisor to latest version.
  • Fixed case CPANEL-26824: Add reusable module for Store purchase and install integration.
  • Fixed case CPANEL-26826: Move ip4 validation function to their own namespace.
  • Fixed case CPANEL-26827: Parallelize fix-cpanel-perl.
  • Fixed case CPANEL-26831: Fix double stat in clean build-tools.
  • Fixed case CPANEL-26834: Update internal php to use MySQL 5.6.
  • Fixed case CPANEL-26835: Reduce Cpanel::MagicRevision dep tree.
  • Fixed case CPANEL-26837: Make post install scripts use modulinos instead of direct execution.
  • Fixed case CPANEL-26841: Delete non-unix Cwd subs.
  • Fixed case CPANEL-26845: Defer DateTime modules on initial install.
  • Fixed case CPANEL-26854: BoxTrapper should more reliably detect when web verification is possible.
  • Fixed case CPANEL-26865: Restore Tree::DAG_Node needed for ea_convert_php_ini.
  • Fixed case CPANEL-26871: Ensure httpd.conf is built with splitlogs configured on initial install.
  • Fixed case CPANEL-26874: Resolve errors from install_php_inis during a fresh install.
  • Fixed case CPANEL-26876: Reduce time to uninstall rpms when switching versions.
  • Fixed case CPANEL-26879: Use MySQL 5.6 for cPanel-delivered MySQL client RPMs.
  • Fixed case CPANEL-26888: Move hulk setup earlier in the base install process to avoid empty key errors.
  • Fixed case CPANEL-26896: Prevent horde user install from failing when feature cache outdated.
  • Fixed case CPANEL-26897: Ensure MariaDB is controlled via systemd after unit name change.
  • Fixed case CPANEL-26901: Resolve error creating /etc/exim.pl.local fatpack.
  • Fixed case CPANEL-26909: Allow underscores in the Exim Configuration Manager SPF include field.
  • Fixed case CPANEL-26913: Update gatherer is being moved to cpanel-analytics rpm.
  • Fixed case CPANEL-26926: Do not send ’email limits’ notifications about non-existent domains.
  • Fixed case CPANEL-26932: Resolve exception while attempting to clear the pwcache during setuids.
  • Fixed case CPANEL-26936: Significantly improve verify_api_spec_files performance.
  • Fixed case CPANEL-26944: Remove force compiled modules that where removed from cpanelsync_ignore.
  • Fixed case CPANEL-26952: Optimize yum FastestMirror plugin for EA4.
  • Fixed case CPANEL-26953: Remove EA3 support from enablefileprotect.
  • Fixed case CPANEL-26958: Update notice about SNI support on older browsers.
  • Fixed case CPANEL-26964: Parallelize JS minify.
  • Fixed case CPANEL-26965: Add WHM API methods for linking remote server nodes.
  • Fixed case CPANEL-26971: Reduce disk i/o required to run nightly maintenance.
  • Fixed case CPANEL-26988: Service Status page now shows MariaDB information when MariaDB is installed.
  • Fixed case CPANEL-26994: Prevent cpsrvd from inadvertently sending TCP RST.
  • Fixed case CPANEL-26996: Fix issues in repository creation in Git™ Version Control.
  • Fixed case CPANEL-26997: Add UAPI support for 4 Mysql methods to list_databases, list_users, routines, and update_privileges.
  • Fixed case CPANEL-27001: Set all directives in one edit in bin/checkphpini.
  • Fixed case CPANEL-27004: Reduce bin/update_horde_config runtime when there is no work to do.
  • Fixed case CPANEL-27022: Report EA4 install errors earlier in the install process.
  • Fixed case CPANEL-27031: Avoid breaking a special nameserver zone when updating it.
  • Fixed case CPANEL-27070: Resolve warning when creating a PostgresSQL DB.
  • Fixed case CPANEL-27080: Optimize uapi and cpanel profile checks.
  • Fixed case CPANEL-27082: Remove unused $mailactionhost expansion.
  • Fixed case CPANEL-27083: Reduce uapi startup time by defering locale until needed.
  • Fixed case CPANEL-27093: Create UAPI calls for BoxTrapper On/Off API1 calls.
  • Fixed case CPANEL-27094: Vanilla JS search functionality is implemented in cPanel master template which replaces the uib-typeahead component.
  • Fixed case CPANEL-27095: Resolve error stopping cpdavd/cpsrvd/cphulkd during fresh cPanel install.
  • Fixed case CPANEL-27096: Create UAPI calls for Serverinfo API1 calls.
  • Fixed case CPANEL-27097: Improve handling of SPF errors.
  • Fixed case CPANEL-27103: Enable cache syncing when (un)suspending email accounts.
  • Fixed case CPANEL-27112: Support pip and gem in Application Manager’s Ensure Dependencies.
  • Fixed case CPANEL-27116: cPanel API Token Icons now mirror WHM’s.
  • Fixed case CPANEL-27119: Ensure it is possible to enqueue transfer items with size=0.
  • Fixed case CPANEL-27125: Ensure nscd service is configured to start on boot.
  • Fixed case CPANEL-27152: Workaround slow systemd show/status performance with a large journal.
  • Fixed case CPANEL-27183: Avoid adding missing configuration to my.cnf multiple times during MySQL or MariaDB upgrade when empty lines are present.
  • Fixed case CPANEL-27191: Improve usability, upgrades, and reporting for Solo Licenses.
  • Fixed case CPANEL-27198: External Auth fails to link users when logging in with the root or reseller password.
  • Fixed case CPANEL-27201: Allow UAPI Fileman::list_files to return files or folders that are just dots.
  • Fixed case CPANEL-27207: Make sure MySQLClean::perform is run on DNS only installs.
  • Fixed case CPANEL-27217: Handle unicode encoding generated by Angular compilation.
  • Fixed case CPANEL-27231: Add the ability to flag WHM API methods as experimental.
  • Fixed case CPANEL-27233: Decrease complexity of cpanel_initial_install script sub.
  • Fixed case CPANEL-27262: Added BoxTrapper get_log UAPI call to replace API1 BoxTrapper showlog call.
  • Fixed case CPANEL-27267: Added BoxTrapper list_queued_messages UAPI call to replace both the API 1 BoxTrapper showqueue and showqueuesearch.
  • Fixed case CPANEL-27276: Update improper spelling of ‘JetBackup’.
  • Fixed case CPANEL-27290: Update site-publisher-templates to 1.0-4.cp1178.
  • Fixed case CPANEL-27292: Updated bin/manage_hooks help text for clearer usage.
  • Fixed case CPANEL-27305: If a system was installed using the –skipapache option, the Apache web server will no longer appear in the service manager.
  • Fixed case CPANEL-27311: Now accounting for unlimited licensing in Transfer Tool.
  • Fixed case CPANEL-27312: Provide a means to install EasyApache4 if it had been skipped during the initial install.
  • Fixed case CPANEL-27315: Allow acctxferrsync in cPanel and via API tokens.
  • Fixed case CPANEL-27329: Automatically rebuild a corrupted task scheduler state file.
  • Fixed case CPANEL-27331: Break-apart cpanel_initial_install into Cpanel::Install.
  • Fixed case CPANEL-27334: Add toggle to disable extended status to Apache configuration page.
  • Fixed case CPANEL-27336: Fix memory exhaustion vulnerability in UAPI call “Email list_auto_responders”.
  • Fixed case CPANEL-27401: Prevent RPM downloads from using too much memory.
  • Fixed case CPANEL-27402: Block spamd from starting on fresh installs.
  • Fixed case CPANEL-27413: Update cpanel-perl-528-Net-Whois-IANA to 0.44-2.cp1178.
  • Fixed case CPANEL-27418: Defer security advise check until the first maintenance after install.
  • Fixed case CPANEL-27433: Resolve performance regression with the customizations addition.
  • Fixed case CPANEL-27448: Plus addressing for default email now displays the the correct email.
  • Fixed case CPANEL-27457: Add caching to store license request for automated addon installs.
  • Fixed case CPANEL-27475: CloudLinux Store integration.
  • Fixed case CPANEL-27482: Improve validation of SSLCipherSuite value.
  • Fixed case CPANEL-27485: Migrate BoxTrapper message and action API’s to UAPI.
  • Fixed case CPANEL-27487: Fix 404 errors when clicking certain internal links in BoxTrapper in Webmail.
  • Fixed case CPANEL-27499: Simplified the UAPI Mysql list_users API return type.
  • Fixed case CPANEL-27512: Fix permissions on /var/cpanel/datastore.
  • Fixed case CPANEL-27524: Fix apache_conf_distiller –store-data so as not crash on the RequireAll directive.
  • Fixed case CPANEL-27526: Fix an incorrect backup pruning error message.
  • Fixed case CPANEL-27535: Remove redundant fields from UAPI Mysql::list_databases.
  • Fixed case CPANEL-27549: SSL::installed_host now correctly mirrors SSL:installed_hosts.
  • Fixed case CPANEL-27563: Create email_accounts.json with the proper user.
  • Fixed case CPANEL-27569: Reduce overhead needed to lookup a value in the Template Toolkit Stash.
  • Fixed case CPANEL-27594: Restore CryptX support needed for Let’s Encrypt.
  • Fixed case CPANEL-27602: Default behavior of opening links is restored for links shown in search.
  • Fixed case CPANEL-27603: Ensure rebuild-templates works if customizations are missing.
  • Fixed case CPANEL-27606: Fix lstat on filehandle warning in bin/backup.
  • Fixed case CPANEL-27611: Clear mount cache before listing available homedir locations in WHM Rearrange an Account.
  • Fixed case CPANEL-27621: Migrated BoxTrapper configuration API’s to UAPI.
  • Fixed case CPANEL-27631: Update Security Advisor in v82 to use 80-compatible Imunify360 interface.
  • Fixed case CPANEL-27636: Reduce cli api startup overhead.
  • Fixed case CPANEL-27655: Remove vestigial code referencing Attracta.
  • Fixed case CPANEL-27663: cPanel master template is written in plain Javascript without any dependency on any framework.
  • Fixed case CPANEL-27664: Add more POD including Template Toolkit examples to the POD for the UAPI ImageManager module.
  • Fixed case CPANEL-27666: Make admin failure to rebuild features cache nonfatal.
  • Fixed case CPANEL-27670: Recheck Certificate Details when The Recheck is Pressed.
  • Fixed case CPANEL-27674: Add data caching to Backup Configuration application.
  • Fixed case CPANEL-27676: Prevent spurious mailman errors during fresh install.
  • Fixed case CPANEL-27696: Ensure mailman archive permissions are set during fresh install.
  • Fixed case CPANEL-27697: Do not require lsattr to be installed during initial installation.
  • Fixed case CPANEL-27703: Prevent get_cphulk_failed_logins WHMAPI1 call from timing out.
  • Fixed case CPANEL-27711: Domain in cPanel now links to https for any installed certificate.
  • Fixed case CPANEL-27718: Update MySQL related pages to use UAPI calls.
  • Fixed case CPANEL-27725: API Tokens UIs can now specify expiration dates.
  • Fixed case CPANEL-27749: Fix spurious warning on license-excess note.
  • Fixed case CPANEL-27756: The Datepicker will now properly display on RTL locales.
  • Fixed case CPANEL-27768: Update API 1 Ftp server role assertion to check for the ‘FTP’ role.
  • Fixed case CPANEL-27776: Ensure dependencies for multiple types in an application from cPanel > Application Manager Interface.
  • Fixed case CPANEL-27783: Attempt to get to the latest version in your major if blocked getting to a different major version.
  • Fixed case CPANEL-27790: Teach cpsrvd to ignore a request whose process disappears.
  • Fixed case CPANEL-27793: Correct spelling error in statmanager.cgi.
  • Fixed case CPANEL-27797: Make cpsrvd forgo caching for admin binary .conf files.
  • Fixed case CPANEL-27808: Improve the error message returned when registering a Passenger application with a name that is too long.
  • Fixed case CPANEL-27811: Restore ability to set MySQL user password via scripts/mysqlpasswd.
  • Fixed case CPANEL-27816: Ensure MariaDB is enabled with systemd after upgrading to 10.3.
  • Fixed case CPANEL-27822: Defer checking spamd for 30 minutes after fresh installs.
  • Fixed case CPANEL-27825: Fix failure of scripts/convert_accesshash_to_token.
  • Fixed case CPANEL-27857: Resolve error installing cPanel when cloudlinux-ea4-release is preinstalled.
  • Fixed case CPANEL-27877: Update and add missing service names in WHM menu search.
  • Fixed case CPANEL-27879: Fix self-XSS in BoxTrapper pages.
  • Fixed case CPANEL-27880: Fix BoxTrapper error message.
  • Fixed case CPANEL-27891: Fix broken rename database/users feature on MySQL page.
  • Fixed case CPANEL-27893: fix-cpanel-perl needs to report download errors.
  • Fixed case CPANEL-27894: Fix the confirmation page for the Boxtrapper interface.
  • Fixed case CPANEL-27903: Implement a better search on the TLS status page.
  • Fixed case CPANEL-27904: postgrescheck incorrectly reports password change success when pgsql is down.
  • Fixed case CPANEL-27938: Ensure all rpm calls normalize locale.
  • Implemented case CPANEL-25904: Add new hooks to control transfer session start and completion.
  • Implemented case CPANEL-26420: Allow pass or password when calling createacct WHMAPI1.
  • Implemented case CPANEL-26425: Reduce bin/update_db_cache deptree.
  • Implemented case CPANEL-26444: Reduce binary size of ssl adminbin.
  • Implemented case CPANEL-26450: Reduce time to build and clean js/css files.
  • Implemented case CPANEL-26488: cPanel User Preferences Menu dropdown is implemented in pure Javascript.
  • Implemented case CPANEL-26497: Use non-blocking inotify in tailwatchd.
  • Implemented case CPANEL-26553: Avoid preloading Whostmgr::Accounts::Remove in xml-api.
  • Implemented case CPANEL-26558: Cleanup excess includes for modules removed from cpanelsync_ignore.
  • Implemented case CPANEL-26999: Modularize securemysql into Cpanel::MysqlUtils::Secure.
  • Implemented case CPANEL-27062: Implement routing in Backup Configuration application.
  • Implemented case CPANEL-27069: LicenseComponent should use the flags cache.
  • Implemented case CPANEL-27073: Reduce memory required for post install tasks.
  • Implemented case CPANEL-27079: Prevent compiling in Cpanel::Hostname.
  • Implemented case CPANEL-27081: Remove deprecated Cpanel::DomainTools.
  • Implemented case CPANEL-27098: Convert emailauth to an admin module.
  • Implemented case CPANEL-27147: Rework Cpanel::HttpTimer default timeouts to be inline with yum.
  • Implemented case CPANEL-27223: Create “create_parked_domain_for_user” in WHM API v1.
  • Implemented case CPANEL-27235: Use existing module to determine number of cpus.
  • Implemented case CPANEL-27266: Revise enable/disable behavior for Backup Configuration destinations.
  • Implemented case CPANEL-27282: Deduplicate code in Whostmgr::Accounts::Shell.
  • Implemented case CPANEL-27287: Improve performance of mail admin module.
  • Implemented case CPANEL-27288: Reduce park adminbin size.
  • Implemented case CPANEL-27319: Significantly improve rebuild-templates performance.
  • Implemented case CPANEL-27320: Reduce whostmgr/whostmgr2 binary size.
  • Implemented case CPANEL-27324: Reduce resetpass.cgi memory.
  • Implemented case CPANEL-27326: Move zone.pl to zone.pm.
  • Implemented case CPANEL-27327: Move modsecurity.pl to modsecurity.pm.
  • Implemented case CPANEL-27328: Remove unused string reference in Cpanel::JSON.
  • Implemented case CPANEL-27333: Remove additional EA3 support code.
  • Implemented case CPANEL-27335: Add support for easy license purchase and installation of JetBackup from WHM.
  • Implemented case CPANEL-27341: Reduce memory requires for fresh installs.
  • Implemented case CPANEL-27345: Improve performance of grant support access.
  • Implemented case CPANEL-27348: Convert integration_call to an admin module.
  • Implemented case CPANEL-27351: Convert twofactor to an admin module.
  • Implemented case CPANEL-27353: Convert ftp_call to an admin module.
  • Implemented case CPANEL-27354: Convert session_call to an admin module.
  • Implemented case CPANEL-27355: Convert multilang to an admin module.
  • Implemented case CPANEL-27356: Convert bandwidth_call to an admin module.
  • Implemented case CPANEL-27357: Convert emailstats to an admin module.
  • Implemented case CPANEL-27358: Convert restore to an admin module.
  • Implemented case CPANEL-27360: Convert market to an admin module.
  • Implemented case CPANEL-27383: Convert https_redirects to an admin module.
  • Implemented case CPANEL-27393: Optimize recent changes to the post install scripts.
  • Implemented case CPANEL-27416: Utilize experimental feature flags in WHM UI.
  • Implemented case CPANEL-27420: Remove legacy bin/regenerate_filters.
  • Implemented case CPANEL-27421: Avoid compiling in loadcpconf to unauthenticated templates.
  • Implemented case CPANEL-27428: Reduce the number of temp files needed to verify with GPG.
  • Implemented case CPANEL-27434: Ensure NVData plugin is preloaded in cpanel.
  • Implemented case CPANEL-27435: Reduce memory required for updatenow.
  • Implemented case CPANEL-27436: Reduce bin/start_transfer deptree.
  • Implemented case CPANEL-27437: Resolve performance regression from removing legacy locale.
  • Implemented case CPANEL-27438: API tokens can now be created/updated to have an expiry time.
  • Implemented case CPANEL-27441: Fix stray use in Cpanel::TaskProcessors::DKIMTasks.
  • Implemented case CPANEL-27442: Zone admin module fails to load Whostmgr::DNS::Rebuild.
  • Implemented case CPANEL-27443: Reduce memory required for whostmgr5.
  • Implemented case CPANEL-27449: Remove apps that no longer use MySQL from integration code.
  • Implemented case CPANEL-27450: Convert externalauthentication_call to an admin module.
  • Implemented case CPANEL-27495: Primary domain TLS status in cPanel General Information.
  • Implemented case CPANEL-27496: Change all remaining left over Cpanel::loadmodule to Cpanel::LoadModule.
  • Implemented case CPANEL-27504: Add UAPI coverage for the CPAPI 1 ImageManager module.
  • Implemented case CPANEL-27505: Make pkgacct include Mail worker node homedirs in archives.
  • Implemented case CPANEL-27513: Convert cpgreylist to an admin module.
  • Implemented case CPANEL-27514: Convert notify_call to an admin module.
  • Implemented case CPANEL-27515: Convert passengerapps to an admin module.
  • Implemented case CPANEL-27516: Convert feature to admin module.
  • Implemented case CPANEL-27517: Convert list to an admin module.
  • Implemented case CPANEL-27518: Convert dnssec to an admin module.
  • Implemented case CPANEL-27519: Convert dovecot to an admin module.
  • Implemented case CPANEL-27543: Add API method ‘delssl’ in WHM for deleting SSL vhosts that previously existed only in scripts2/realdelsslhost or UAPI.
  • Implemented case CPANEL-27572: Remove additional simple regexes in cpanel.
  • Implemented case CPANEL-27573: Remove outlook 2000 and express auto setup.
  • Implemented case CPANEL-27574: Dedupe xml-api regexes.
  • Implemented case CPANEL-27575: Resolve major slowdown loading UI customizations.
  • Implemented case CPANEL-27585: Add max time validation to Cpanel::Validate::Time.
  • Implemented case CPANEL-27605: Update perlcc preloads for restartsrv_base.
  • Implemented case CPANEL-27607: Prevent the MySQL installer from calling ensure_rpms when not needed.
  • Implemented case CPANEL-27610: Make AutoSSL give “status_message” from the cPStore provider.
  • Implemented case CPANEL-27612: Defer mailman and site publisher install to avoid first upcp.
  • Implemented case CPANEL-27629: Setup swap sooner.
  • Implemented case CPANEL-27646: Resolve performance regression checking for dedicated ip.
  • Implemented case CPANEL-27675: Ensure EA4 fs setup is always done before install_apache.
  • Implemented case CPANEL-27680: Add cPanel bundled services to the installed list check exception.
  • Implemented case CPANEL-27685: Resolve perform regression from uib-typehead to pure js conversion.
  • Implemented case CPANEL-27691: Reduce UAPI overhead on cPanel home page.
  • Implemented case CPANEL-27699: Optimize dnsonly startup checks.
  • Implemented case CPANEL-27704: Report cPStore “message” for hostname certificate failures.
  • Implemented case CPANEL-27708: TLS Wizard now properly reflects cancellation.
  • Implemented case CPANEL-27709: Report “status_message” from cPStore in paid certificate order status.
  • Implemented case CPANEL-27734: Reduce time to setup benchmarking.
  • Implemented case CPANEL-27738: Create WebSocket “MysqlDump” endpoint.
  • Implemented case CPANEL-27743: Add CalDAV & CardDAV account setup to iOS mobileconfigs.
  • Implemented case CPANEL-27746: Create UAPI Mysql::dump_database_schema.
  • Implemented case CPANEL-27750: Create new UAPI GPG calls to replace API1 GPG calls.
  • Implemented case CPANEL-27753: Ensure yum install calls use fastspawn.
  • Implemented case CPANEL-27770: Optimize parsing of http dates.
  • Implemented case CPANEL-27773: Show SSL errors on Primary domain in cPanel.
  • Implemented case CPANEL-27782: Make check_cpanel_rpms able to recover build nodes faster.
  • Implemented case CPANEL-27985: Add a new API to get_maximum_users via whmapi1.

CVE Reference Key/Maps

Reference Key

Each reference used in CVE has the following structure:


  • SOURCE is an alphanumeric keyword.
    (Examples: “BUGTRAQ”, “OVAL”, etc.)
  • NAME is a single line of ASCII text and can include colons and spaces.
    (Examples: “BUGTRAQ: Posting to Bugtraq mailing list”; “OVAL: Open Vulnerability and Assessment Language (OVAL) vulnerability definition”; etc.)

Where possible, the NAME is selected to facilitate searches on a SOURCE’s website. For references that do not have a well-defined identifier, a release date and/or subject header may be included.

Reference Order

References are typically listed in the order below:

  • Initial announcement
  • Response team advisory
  • Vendor acknowledgement/advisory
  • All other public sources