cPanel prior to 60.0.25 allows self XSS in the tail_ea4_migration.cgi interface (SEC-172).
cpanel cpanel