cPanel prior to 60.0.25 allows stored XSS in the WHM Repair Mailbox Permissions interface (SEC-159).
cpanel cpanel