CWE-200

cPanel before 68.0.27 creates world-readable files during use of WHM Apache Includes Editor (SEC-388).

The Bluetooth Low Energy (BLE) subsystem on Tapplock devices before 2018-06-12 relies on Key1 and SerialNo for unlock operations; however, these are derived from the MAC address, which is broadcasted by the device.

cPanel before 71.9980.37 allows attackers to read root’s crontab file by leveraging ClamAV installation (SEC-408).

cPanel before 70.0.23 allows attackers to read the root accesshash via the WHM /cgi/trustclustermaster.cgi (SEC-364).

The WebDAV transport feature in cPanel before 76.0.8 enables debug logging (SEC-467).

cPanel before 74.0.0 allows certain file-read operations via password file caching (SEC-425).